Malware Analysis Report

2025-08-10 12:33

Sample ID 240403-npwzgsda78
Target 2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock
SHA256 fd5c5b32fc598588d980a1d4b54f4739bd376da59457f16efb3e8ba0076272b7
Tags
evasion persistence spyware stealer trojan upx ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd5c5b32fc598588d980a1d4b54f4739bd376da59457f16efb3e8ba0076272b7

Threat Level: Known bad

The file 2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan upx ransomware

Modifies visibility of file extensions in Explorer

UPX dump on OEP (original entry point)

UAC bypass

UPX dump on OEP (original entry point)

Renames multiple (72) files with added filename extension

Loads dropped DLL

UPX packed file

Executes dropped EXE

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 11:34

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 11:34

Reported

2024-04-03 11:37

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\Users\Admin\xIMIwcAc\YyoQIIwQ.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TkkIYcgA.exe = "C:\\ProgramData\\ngAsMwgw\\TkkIYcgA.exe" C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\YyoQIIwQ.exe = "C:\\Users\\Admin\\xIMIwcAc\\YyoQIIwQ.exe" C:\Users\Admin\xIMIwcAc\YyoQIIwQ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\YyoQIIwQ.exe = "C:\\Users\\Admin\\xIMIwcAc\\YyoQIIwQ.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TkkIYcgA.exe = "C:\\ProgramData\\ngAsMwgw\\TkkIYcgA.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A
N/A N/A C:\ProgramData\ngAsMwgw\TkkIYcgA.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Users\Admin\xIMIwcAc\YyoQIIwQ.exe
PID 1336 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Users\Admin\xIMIwcAc\YyoQIIwQ.exe
PID 1336 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Users\Admin\xIMIwcAc\YyoQIIwQ.exe
PID 1336 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Users\Admin\xIMIwcAc\YyoQIIwQ.exe
PID 1336 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\ProgramData\ngAsMwgw\TkkIYcgA.exe
PID 1336 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\ProgramData\ngAsMwgw\TkkIYcgA.exe
PID 1336 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\ProgramData\ngAsMwgw\TkkIYcgA.exe
PID 1336 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\ProgramData\ngAsMwgw\TkkIYcgA.exe
PID 1336 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe
PID 2604 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe
PID 2604 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe
PID 2604 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe
PID 1336 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1336 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1336 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1336 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1336 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1336 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1336 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1336 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1336 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1336 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1336 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1336 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1336 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2400 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2400 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2400 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 556 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe
PID 556 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe
PID 556 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe
PID 556 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe
PID 2616 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe"

C:\Users\Admin\xIMIwcAc\YyoQIIwQ.exe

"C:\Users\Admin\xIMIwcAc\YyoQIIwQ.exe"

C:\ProgramData\ngAsMwgw\TkkIYcgA.exe

"C:\ProgramData\ngAsMwgw\TkkIYcgA.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCIYYgwc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vAsAwEkM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MWgEsokQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kcMkMIcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qccIQsss.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\amYAkYwg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSIkQccQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XsIksQgU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BmgEIUUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jwgkMIQw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bCQIcscA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tOMYUMkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VIcMQckY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-147764300317066094341942688819769568171-48259832812965744171354944409-973392880"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ysgcEEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EosQIAwM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1727783360394117182-975402994-695824004-7309782395107011911847123321699015960"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QGYkgwQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5423656637815501411704887233-1861427210753164514055241661393284411-907888464"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WuEEkgUg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-490734232-1660659303-684805080-1563895453-1039795609-49958126946525608-12204437"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eQckMQEA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\cYMIQgEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-236637357-1557451753-834870811-834814781619461958738616964-11620490882078067422"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-889608869-1631408979-1787405557-2140022825-610835119-1073896856377700629281675367"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\IwQQcsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nEAYsAIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-429534031462337745-494336997-8482847902951329391023146024-1314304302904037896"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VmEoMEQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1497704733-275858149670181326-806923532-1830458189-1499244816725428236434832983"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tQYQQAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XYIUIQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-14773742221907703974-1673997589-248074526-361215672-6507928861527380725-1085995034"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pGYoAggY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\bcoMMQsM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "681606092-133329116217763225901534668574-3745307871540650556-3050528141879422204"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wyEEkEIE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1128267976936891733-922551108-1543772412-23243591311211051011377099866-244444187"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Oiogwswo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2783865231466448905-293658448-45748328754990145410585622-431892121-168748776"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ysMQcYko.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\caIUkwQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-936107385-1377688077-848081513-431478677142018769458880977-2057113570-1982717878"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2047257370-1569168921-18251668161057355914-10712308377172009-1925076704-1373502796"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKAMQokA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-105527677217756897292656081-327032211-1570415608-178774812615925326931353408668"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1342617314-239337579-543112772-55438720516618006351381247698-1152950891871141179"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kUookAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1885278811375663514-161626204-2038911691333014878-1593887376-496522250-1124317064"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "216224994741131321-1192551174-15005440751776639008620105023-1337657501-898747122"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1650513559-1093537330-281834066-1341840754245424609-1152233357-614143681996770697"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2349796422069269026-2105886517-2065187851-151653974717629893998125369-302266913"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aqsEoEAY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "846652457-3875320952112168468-2133310925-1756960946-12092929361244413058442537515"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VskkEsQI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1784609535-4468613411482103338-11247217461631168176182762814-312300895-1218821060"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FykwsAMs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1963574681-107831849-152226312766209503612762242139303908-1831812482-887218150"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\loIkwoUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1753500617-103287274-13638576781540784832-355170198410236969-14227366311604796272"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1948768361-1445969133946028056-1901953049-12440053681026865898-9585454851677474566"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1266740511-13937003719594888611500637648-542900058-27295825-9352742782064555157"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pGEwEcUc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-666312884-1047295009-1543675552-199417067-1211333139-285680955-18394065204415343"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1494502442-1222299139-10831887364421707071630072283-3913942001738765740549170928"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-906959151-995439962-188075584-564135980-1211261896409954500-1898247159884029114"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xSwUsIIg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-216066483-455199482-771752130-236245958342246804965501809580692718253389188"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5701414337902784083212598111643629987932622288-509454315-13266283847027344"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1322038875-62122903312103547686557837361435272226-1252520436-7601785461559988485"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "3802876217704383781169121254-206440403-1103080073-882805859856513413-1230841524"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1929600208-761075496-1375825387-981313266-2015098728-1326149488787780926145992090"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DgIAgMMM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3584196231451960977-278745419-1218057620840787772-19824070481964017712672140959"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mswYwIcI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1455003803584315437-359546957-19414888661772732896-6323774361594665288-865945313"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SIIAMwUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1659443934-551774356563937124-7290178891555164676-7986553661117375703-46235588"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-883051151-822219894-2582479971815794346-18974850721444588752-1896339898-1433685239"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SwQAIkog.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13613561931320680959853822431-15663996761684785038-1718272445639410271408792791"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-21377678672242156121653085541-688785723763894926722645362-5172553641566484542"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kwogcocg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "620809974-975299620765679472-14359117731054004388-166493614610362079242128494015"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKcsMokA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-974763686251966942-1957540101-397931598-6891096351582324156-303853987-1479411573"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "16399456582005676265-1225294197-107526571936500732418628947281917433650787080125"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2089916962-615193461851495484-296668426-1587455648-1194483093664792133-1337373092"

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.200.46:80 google.com tcp
GB 142.250.200.46:80 google.com tcp
BO 200.87.164.69:9999 tcp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp

Files

memory/1336-0-0x0000000000400000-0x0000000000436000-memory.dmp

\Users\Admin\xIMIwcAc\YyoQIIwQ.exe

MD5 d68b3e1461ced00e2920a3d866c3c091
SHA1 11cc010d0e785b531d217dc28b5e514126d2a78c
SHA256 f2ae4a9b27c250a75cf263c0f6c472de791cbd6df742f571f6cb3d6b2174bf0a
SHA512 9ec7d3fbab8ca6e7e5d28598ba74de7430bc0bcce3c441e6a50c43a8139742c58b150600bf8757b27f9dd7be9dec1bf4f95c64c8a75d3f637c1da27cbf1ecc92

memory/1336-4-0x0000000001C90000-0x0000000001CC2000-memory.dmp

memory/1336-12-0x0000000001C90000-0x0000000001CC2000-memory.dmp

memory/1336-29-0x0000000001C90000-0x0000000001CC1000-memory.dmp

C:\ProgramData\ngAsMwgw\TkkIYcgA.exe

MD5 09807b8a0122e63bd9bbf79cb326bef9
SHA1 266049c36b25c5e65498e68b11f937c07ae50d7f
SHA256 4e2a893c6be65482984b9249f24df47673e067bded0acb4049a67bd9f23449b5
SHA512 a6e8955a38c78877aaf2e984847ad2e40496f175dee33a7f09fbe59e35823c5821a1dc496226308fba2adf4199d88124ed752d146162ac3df9cd3bca638cca50

C:\Users\Admin\AppData\Local\Temp\LgMYIcAY.bat

MD5 0bb4cb35a5479ed5ec535916ed5ba1f6
SHA1 235fd7430a66dbf03f798a0f266cbcfec5ad7834
SHA256 e4b73ba05c0359f28ed264927ed7baec2bf0e9692c3863b42a981b66bea43ae5
SHA512 1bd25f1d927eb80deecd26323b0e71eeb4d4eba84f8a4e7984bdc116b033462c6ebb5009d4e394a5ac4c6d63f236ee49748b5d31f58c97f86a62911ef591ede8

memory/2944-32-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2448-30-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2604-34-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2616-35-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LCIYYgwc.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

memory/1336-44-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VGIUQMUU.bat

MD5 d26e5bdc36180de4c2879fbc42a9e98f
SHA1 3f392563dc65e7c93c4ab50ef371ee9c5718c1a3
SHA256 9670bd3f6e5dc785e372ee5518ec2d84107cfefc70741c1ffed34bf99709fda0
SHA512 c894d310657c5509caeddcb0ce878cbe7c75d939e03452360a8bd44010887b507570a3b6c0fa8519c8da79183d5cbb77c13357765221095da97b1af0073283e1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

MD5 bdf926b971c6dacb62c5c764b548f850
SHA1 daf9c28f324a1b0d9886021ad63d84b468cbac20
SHA256 8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda
SHA512 cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

memory/556-65-0x0000000000120000-0x0000000000156000-memory.dmp

memory/2616-66-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1504-67-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sCoUQQIw.bat

MD5 16e753703d4b29de566b838861e8e09b
SHA1 68ca1590c285d1cc61eb434bfb91b24e5c733cb9
SHA256 54b6e14e73de8d96c9ffe8792d99afd39187fc8b255d38769eb4ee50998c7568
SHA512 7af52ea4b866d1522fb609dc78188a3cd95e5d9606d410cf6df5570b6e95059d3c297cdb7bb90520c153ca0230dc2967ea5fe7b3550029d50fd85c951cda3d06

memory/556-57-0x0000000000120000-0x0000000000156000-memory.dmp

memory/1504-88-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1976-92-0x00000000001B0000-0x00000000001E6000-memory.dmp

memory/1976-90-0x00000000001B0000-0x00000000001E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WSwsIEwc.bat

MD5 e32476d99e9462fa5751402d92be554e
SHA1 07abda3c2b71bffd72005badb3934b915bf43412
SHA256 3907dd8474091c996b42576a595886584b4c8ce7e40bbedb31e44a421f668799
SHA512 3b333f23bca5304f360c6e8aa87e82433a8e4ecdf42d82e1d41840801ab2e9eb526cd3001cb9a7952f0a57d91f3e74751a5753c776032db30a1d8069b1df0eba

memory/1552-113-0x0000000000400000-0x0000000000436000-memory.dmp

memory/788-114-0x0000000000160000-0x0000000000196000-memory.dmp

memory/788-105-0x0000000000160000-0x0000000000196000-memory.dmp

memory/1696-115-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wUEMEocI.bat

MD5 a601c98e58adfad7ca1ed865bcfb6c91
SHA1 ea15687c35e5d4c2bf67dc621dce398eb1f42bd8
SHA256 05ebe7b8e21abe73a0705a58395dc59c78cbcd340082f163a7ebadbf0faa9ab3
SHA512 1fa71bcea837a9b9f214524d6fb1465c8e9cc7bf159fb45393a06741ab9f1c9a0c8203f5e34bdce7e89b804c9c7587216923ed9c8e0f693daf290a379c72dc04

memory/1072-128-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1696-137-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EsoIkUMA.bat

MD5 d5c4e814a63b705a57ac37c02be3e580
SHA1 4fcae523b9af33ff97378312ff5399a0d7833d36
SHA256 867d5f77f3277de2c5ad75c938b8cf2df6468b157646d189c6a8ae234547dd9f
SHA512 03ff8bb1303f60f08d99fd0d09dbe899fa281190a8a0b89f03e150efc9f4a95232ca2c90ebbdb59c6917ab797048b165d9ebff034462aaad20628008ce9918df

memory/1072-158-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2840-159-0x0000000000120000-0x0000000000156000-memory.dmp

memory/1624-160-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ogckwYsM.bat

MD5 a4c5d600c6605fc69bbcc8ccb222e8ca
SHA1 ca1142d56f8de6c2f65f687e78223380bdde113c
SHA256 851658050b842aa89ff7a2e34082cad5df621fbe4c1d5d54aceda6527694bb98
SHA512 035c503e10d942223c05f8aec6eb802640fb2238b6c685163a51a1885fc5625a22b925891f83b6e120895a9c1495524493b134d92c4c7b065ef001adc679a277

memory/1624-184-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2560-176-0x0000000000270000-0x00000000002A6000-memory.dmp

memory/2468-185-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RYAcckgM.bat

MD5 3f15fce106a8aecf3b05399f2026194d
SHA1 374d45035f6ddd3c8f5476a6da31b01241e6e158
SHA256 feed89b6308caa1d3746b38ebbe97d6619966a7ab6c047a63cec5fd6964a296b
SHA512 209f0655269ed7837ded5d98a3a9fa4e7dfa9171a58cc2b878db6426b12c492be658e4c3c6be1e2a4579307f34dc022c8229f12dd11416d64dc4b8297b08d3be

memory/1168-199-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2468-207-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xaUYYEsc.bat

MD5 4722915aee34dfa402afddcc62f943e7
SHA1 8ee7ee174bd370604b898bca9eed4ac1aca062d8
SHA256 0d2bbdf5e5a1add05d1013b416a3b97f172d44d41cd6e1fdac4460941201f3c6
SHA512 a0c912e5aa0ba5c41840ae50d04f7f5bdd50bf2a7b28d5b9b6d0021d941213cc6e5c514bbf04bb5f283bf544a2939d730710146f25563670d628d883078cc309

memory/1168-229-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1648-221-0x0000000000160000-0x0000000000196000-memory.dmp

memory/1588-230-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RqMIEUEA.bat

MD5 9ef9436f68f9fb01c6f5dcc40c0a9836
SHA1 fde8c8e632bf79f9e7a34a50df9d6bbe9ccf0fe3
SHA256 abe6676000e75a41dc526e580e378a8943c39f5a77269d9c77bb32b28265d19d
SHA512 4552dfca3339605ca2940e2a2cccf96cc464c80d1a3d924bad51b0153c6d18a0db5b2da5af6b8e29228897950f1f5df0433b4fe82b6d6e915304a4586b1a4733

memory/1848-255-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2160-256-0x0000000000280000-0x00000000002B6000-memory.dmp

memory/1588-254-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2160-246-0x0000000000280000-0x00000000002B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HCsMQQUw.bat

MD5 9d5ce34bc5d62d1e8ffa75d3d394cddd
SHA1 4a5ac4a8574142d136a1fca3114089bc35748bf8
SHA256 c430fed9ca7047ada3dc5849af25ec79d06d5f3f7382d030a11ba301aa66dbe9
SHA512 7ff6942aba4a41f628d87965d637ff41938577061ac46f59108fbac7ca812753e46b6d2b4a8655f8c7efd116b2aa74c48db070b83a7dd72150cd783a7011e6d5

memory/1656-269-0x0000000000120000-0x0000000000156000-memory.dmp

memory/2756-270-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1848-279-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bykwgkUk.bat

MD5 9921e88550396584c1fa3025ffca7fd5
SHA1 39bf8fe9e97156061219f6c6e57daee211afaf27
SHA256 53b0f373f956967128fe11b7b8653954045dfabe4a9aef7e65e01c94f5a3d313
SHA512 81fde7de0572978fcde57d55ea94f535e46e8e5ab0c69f1a1a5136691b756f2525d1417a9657e095116b1aa49eb6cc268568bc0bf8c0129cc795e70397fd1257

memory/2188-303-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2012-301-0x0000000000120000-0x0000000000156000-memory.dmp

memory/2756-302-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2012-293-0x0000000000120000-0x0000000000156000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NEQUEsIE.bat

MD5 b28a9bd04bdb414da2982e8432754454
SHA1 3ad27135110faa656c75d1c3d463f858ef64c73d
SHA256 25c188aef2c3ae5c4a65bdaac31c8a428070bcd9673a33552398a78b529ef841
SHA512 cac69a11ec0f5e10de883030c104b561e3750bfd09d8c8c1226d9e38619248595df1e560075ac1ecf325d1ca871bb31b18668664eac181562ae8c532693af9a0

memory/1752-318-0x0000000000120000-0x0000000000156000-memory.dmp

memory/2188-326-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuYUMosU.bat

MD5 f157e2bb8700b52cd3f1d7d9d5872761
SHA1 7db846c47a63af1dfd40a8bdfa18c6a35cb08d75
SHA256 4d88814662ae40d0ab9ee25266a3018df515bc7c3727ee7b6026b38ddf06fad9
SHA512 298b434abeb83911c4015c6279d6e62f0c381109f993deb3ec7642cb70cdc7af747a32cd3ce129b856bd3f6b4ef1cac02437d121f01533a42272b148dd01dd5a

memory/1784-340-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2176-341-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1524-350-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GUookwcU.bat

MD5 3853b62ad338b4120dfaa41ce0212d6a
SHA1 0b699280d3b10a4ec6265f6a3c466f7e970bf2a7
SHA256 85f9e923267d665aa59c95268c32d4ea5c33a3977a81d4eb03a0581b0ac2b7cb
SHA512 05002f0687210e8c6a773e37d4777e4e0a4538b3b05c167e65039ecd97a2f4b3e7f318018b60e1cf6d0cb73da581d1267236181ebb427222bdcbc34f4f925255

memory/1880-364-0x0000000000120000-0x0000000000156000-memory.dmp

memory/2176-372-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\xIMIwcAc\YyoQIIwQ.inf

MD5 73fac327e3ee36c5b2c99c34868da4b4
SHA1 5b9e1ce57c3edaee49b9c4bcc4bc3039a3f9372a
SHA256 747005a61eadef6342f0202eb9e3281e4852c8a75e8cfb235c6f84367bf7d403
SHA512 496870882f60689707093f5d78de80d10183f78430ad1ef1ac58d5a434a488ef4785c15e842b8711fbe1bd73852f6e47b297deca876076302181defea25ca5a9

C:\Users\Admin\AppData\Local\Temp\yYwokkkA.bat

MD5 a88c76de712d51a657ccdd6a9a7d2a4b
SHA1 0eb10b3f49cf7e83ef325c8795228764218ede13
SHA256 14d34b185f18c68bf32f1d198008cdf5ba6367478a3d1b1710c3385f5c1de78b
SHA512 0c9364bd90a8e86e3490a5c52ba36c0d4461157a91dc50453db856a8a370eb07d2700b888894c3b57d5f5f3222792dff210ce3c6969a3620e8c973b8d6cfe3ba

C:\ProgramData\ngAsMwgw\TkkIYcgA.inf

MD5 4596e484a0d22c1a1d078f03240cd9a6
SHA1 a50aa2c91b9708cd449a81203f942dc296dc7cc7
SHA256 2065434d400f70406ba5554c561890bceb6b6f9b8ac030f215137f1b2b4e5ede
SHA512 5190120740cc1c32ceecb5793158fa60f1e7918108f46e63cec4e68fc1119301652099049c1dafce0011d87ec997221522101757c7a99f854c65b84fe8ad3c1e

memory/1484-389-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2060-397-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aSgIggYY.bat

MD5 04088e6847d6016fe459ff71766599a8
SHA1 09e8193e4dd3c51a8b2e99c9eb6272b0240708ae
SHA256 8c427786802bf0fa9bc82456dd5379d6162f0a46365eb248613bcb8d793ef183
SHA512 51a29d9bba4fb126796b02ba17186529d67cf7006f15839afe2dfe09fa5dc18c29bffada52a9bf454c6eb6f56640ad1ae6ac769735c77cb3365dda2b0f828928

memory/2988-411-0x0000000000180000-0x00000000001B6000-memory.dmp

memory/2916-412-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1484-421-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eIssMEkY.bat

MD5 99856248518564e85cce281f40e99db9
SHA1 c97729bb58983712ec10802012903997771235ba
SHA256 48c5589e86e18ad5714d2220e5e6044335855a856c098db77e6feb1631b0f926
SHA512 1e3b5a51cc1d22a2da992cf98f6bf0d33983a261c544d8468af188f55746cb2f6ccc330aa24b9286285414c6900aa0238feb27ae727080cb76a73e1d461cd07b

memory/1092-443-0x00000000001D0000-0x0000000000206000-memory.dmp

memory/1940-444-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2916-442-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qQkQcwEc.bat

MD5 8b14f9e9da7627225ee52cb1feb54cd7
SHA1 4381e4349b597ba2081ebd9e4da6a61167310c40
SHA256 fe3c372d92cf0a8f2470a990ed4e6d1ccc5a1e8f49a6abc795bafda7f601d688
SHA512 2e50cc0718e7a882185f6620760d5802bf0f4ab2cfd188b6afc64924c7d869ef468eb340ac35ad781c84bff3246dd7eedd77af97a7e3d7830defa30edc016fb1

memory/1940-468-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2472-460-0x0000000000190000-0x00000000001C6000-memory.dmp

memory/2472-458-0x0000000000190000-0x00000000001C6000-memory.dmp

memory/2188-469-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\ngAsMwgw\TkkIYcgA.inf

MD5 dd5daac644f7e78d96bb936e484428ad
SHA1 a40b76dd4716714f3097df345737015ae4493da9
SHA256 44eaca7a0d7f14d7d370145bcd8ac6dcbd0dca0452df491815d838979eaa328a
SHA512 ef1357b8a4592030eb689e54f1ae276552686d705b261b627cb065f2c1f30ef329fd5f216bd33468de2b42390e495ab335c7ab0d0338eeaabe14d0b9603a0652

C:\Users\Admin\AppData\Local\Temp\IkkwwkIk.bat

MD5 2f1dca00f079ceafc03430f29868de80
SHA1 89c8ed230f7e7309cdffe2a4da129088ffd288a8
SHA256 cc4fb73f07d55623c4ff5cbabf328c8388f0d0df1b1887747718de371e68c132
SHA512 4c1b7a7e535e741890fba9b052cc164f30ad41b2eaab8f49288baafecb45db4cee89fcd7e652b91e451681f8cbdca38ee7c08510c9c025a42794e4b45e00779f

memory/2560-483-0x0000000000270000-0x00000000002A6000-memory.dmp

memory/2188-492-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VocYYgcc.bat

MD5 c0f44d963fe6eca7a6d7172204e6f17c
SHA1 e719c4d18f1df7c3e312d01e2d89096442900885
SHA256 40d968188334bcfef505b55cf4e40e57420f7e609cc382760a7c39d5839a2647
SHA512 42768d7d8d67cb616ab439683a56038a7e4923b0b5d7a53a1d76e18e2704d62e13049e0b75e4ffce190fec228ff613c392dc6e0af681c7c087b54a85dcac2eba

memory/2576-504-0x0000000000400000-0x0000000000436000-memory.dmp

memory/552-512-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2576-502-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1644-513-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RuAYkooI.bat

MD5 4b2fd914e67d95e0fd28ef0b325570ad
SHA1 b6b1f1602e204485db7f615d978233a1f8f76d85
SHA256 3d993c0f28e20289a8cf5b800c9de4f1a64357ae653ae04df332ccef82fb3d3f
SHA512 ce838f5e4e72041e92da730cc80befdb77a44793e160dda20df64b352ab5f293c7168ae520160468bb69684951b74399e6feede74614bfb334d5f7049d32e7de

memory/1304-533-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1316-524-0x0000000000370000-0x00000000003A6000-memory.dmp

memory/1644-532-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BUAwUscw.bat

MD5 4aa36e856a95098403206959bc07339d
SHA1 3705a87429895696d3302615cccbe3865a265f47
SHA256 5d068732ddc6450225679bbedca58143ff90a6e035adcefff8640fad375f1afc
SHA512 ecfc7bea48b2fe3c8de157bbea0b31e247e8483a793b67bef6f5ce2b04c3e3452fdd95d9515478fbf44f83bffbda3fcdfa0bc611f4bbeec90a701a1650694986

memory/1332-543-0x0000000000170000-0x00000000001A6000-memory.dmp

memory/1304-554-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1332-546-0x0000000000170000-0x00000000001A6000-memory.dmp

memory/1688-555-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jEEUMoEw.bat

MD5 df54cbc485d3ebd3343c9e78905e723a
SHA1 4ca907bba0225a4655af3570bb322755386e83c2
SHA256 976ec874f1f81aed0e320b816f5e4201ce84550e1c2911cf50bc58ff460d1bac
SHA512 0514ddb39b618847af8e2c4b7e2782a22ec587c5b062b0b69a99dbdac31db19feb4fc62f0bccd075ccad8beddc4b34f93f2f488fc791cd9b4645c01cc9001631

C:\Users\Admin\AppData\Local\Temp\AUkU.exe

MD5 b0e12ca0133d6c6c0da185085ce849de
SHA1 1e6117ca61f145ba2b4d12da74f724c9ca2fa749
SHA256 c99258f689bad695c5b0b3b7f0b5626e30b3c7dece9bfe3d3917f8b4f2f2b01a
SHA512 5a554f4164873e664931de52fa7bb3370de0e444313fac66a0c4405ce58181d257e79de6ed9533e4261eac567c3bd99ed565c06cf4ee78805b3a72ef60b0350d

memory/2580-589-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2580-590-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1688-588-0x0000000000400000-0x0000000000436000-memory.dmp

memory/568-609-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HagkIoUs.bat

MD5 c5321f6849a036b044c7db9da07cbdb6
SHA1 d89afb1f79b4cc236310add9f7700b8ad463d3d9
SHA256 df1735b00db0c361877043cbfad95f6c766e07d0999a55a0bb80ddd475ed097a
SHA512 33e0ba39c139d64256bdea4bd8ff74bc6780ac8617274cf7df81a70a7306b165e8186c62c0daaf0f3b5b94d6cd8f3b02c6867124986936d673a34f5009b846fe

memory/568-591-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RYQkEsgo.bat

MD5 734338137ce7ec41569d232eceadfa01
SHA1 dfe0fc5b653419b611278fb2f2206255ceed2cfa
SHA256 200cc4ed0b3f64dc9a54bd58563419a6fcbeb811bfd4ec7e708350d025f4228f
SHA512 4e38d6dcadb69a4996f6041a6228ac7f776a497949bc37d9836b4e8b894e89695875e2ed6217f80ecd700f76f5558c4b816e4e188f0908509012676b83f91326

memory/1040-619-0x0000000000120000-0x0000000000156000-memory.dmp

memory/1656-629-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\joUIkIEQ.bat

MD5 1b839010e7b4fdc86b6a3eea21df2df9
SHA1 339fb304d8373e48b418d0915a44b59f941a3e57
SHA256 e45fe75a2f2a37b829a9e5d7ffb5db03b3f19e6281b72e57102ea75dac97721b
SHA512 9a09b32dcbb95105b663908b1813a31228344d80b1afee017349f1d79493f72f51d85a4adf1ad0cb2893ea7408afd7e678c9c9f0e58a3dfafffccd7f82eb8bb2

memory/1124-621-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2456-641-0x0000000000160000-0x0000000000196000-memory.dmp

memory/1124-650-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\okQEUQwI.bat

MD5 04dbedcb4b84d5202befc877aa2679c4
SHA1 656c04337ff954dc03981ebc90201c69764dd491
SHA256 1a8a0bedc235d8e5d125b348bbdb58348cf37529942da0ad25ef5fe368b59c10
SHA512 97c1728f67d137be3bf8763c1ccca54283b92ce9b0042a74c35bb25433c760d03bbf4d44f54a39c974744aad35e219977b3a8c05ce26b5ec26cca7f3b0178383

memory/2560-669-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1288-661-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wGwokgsI.bat

MD5 f92350ad3acf9336c7db6fd637cab4cf
SHA1 44f41543f44d78c01c4445b9f589c2c58f9db77e
SHA256 a5287e0ef68a67a80fa37242bbab02871ca0a195392bfd65017b2e943409afef
SHA512 4b8c2523a9a072ea8c27729ab65499b1e1297ab6e1fa2998b83e5db419743751948b937fd0b4ec00af7a19acfc2c04e459067fbbda8a0f20e9789488f9ea5332

memory/1288-688-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1844-687-0x0000000000190000-0x00000000001C6000-memory.dmp

memory/2200-689-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WEgsocsQ.bat

MD5 a781f56231d6f74fab1380f2eb8b32db
SHA1 74ff27893f44adf465a4ce909fa327e31f565958
SHA256 70ad57885d55ef3636054d49cda8b79a4d9cd8211021765ca3fa61957578c63b
SHA512 96e6d7263c63d32b7d87f99af33395695dbee26c6b8bca2b042aa97e9ed07a17a86ead993f817c7780333df3fae969a5f5bb69a7bc27ed17fbe5e3970bbe5bfa

memory/2200-708-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1872-709-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1872-699-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qMEoQkgw.bat

MD5 2cb463f9c5c2f985bc2a57d1d5130ec0
SHA1 67714d8eb5e5a1030d13d858cdf7560a732cf92a
SHA256 dc00772d5e21aa9915f61df9dea828c2fa30c8bd5f0ca35ae02f6fb02505e571
SHA512 5fcc208acd1fd8181a3e79fa167de1026c3471d46ac5b3926f8ed782b53e3a93f6c67026c7ff0f3a4ae3a8c5cae789c20e7a161b01e3be0cd7fa07a4cd4203f0

memory/2700-730-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mgkUUYQU.bat

MD5 0176af969ad790205aca223110fea689
SHA1 ad7fb9535e9f2a090e51cec6215630ddd2329407
SHA256 60e878202f2f6db55638c50390c656ed452ed0b6c5233c9ba355457d4b0e871e
SHA512 06536334a0475758bd1402f0708573ed8069f99695d4ba9f0872b9364bc30078ec4be8a72c592020ba03dd03059d0c190f0e540883294e2ca56421f2c9af21d8

memory/2512-750-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ScIoYkwc.bat

MD5 ac09bb55649fb525a28e437e65f1a227
SHA1 40ed4e178ab25e8d14f129ac8b61734632dd79a9
SHA256 2f0f44a406b63ca4c14fb4fbf0da66a6dbc4fdc198b75dda7d235df61a6ec74b
SHA512 a15186ca76958b8101a9bd134451b7d8ba45d4807024b3359daeb36aecc10cfce305d814103eb2ab5fdcaeca113882b2b439af32a8718d690d8ba5def2445f95

memory/2520-768-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LwUwwkEA.bat

MD5 09643a199400664b3285e50264b1d1a9
SHA1 8ea99b42b4d036622eaf06689d1b85bf84366408
SHA256 56091c3c27d1d9d9a2c38bb7c7c92c534937c004ee84650e587df5af618a3892
SHA512 b4ba8f15112890384b498fdb89d9c4d66351bdae7959f58716d258e00d6f28ae25bf42844ed7f99e042ad96627eb458535fe1e4d23bd28069fdf10bed8bf860e

memory/1076-788-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BywkAsgY.bat

MD5 815e445d105481ad372d9deb4a5d6598
SHA1 49a1d6679aeddb0535613f0024c6448849c24be2
SHA256 3913ec29db917240cadb10544544a08ab50ed88220b39d6ec903dd9400e4130a
SHA512 03772e81e433f9aaee62ea3b3be0e73582ec42da36584bfccc559e0f03194c0ece3158d85740e8e7b18cbe7f6c2e89229b4cade6be561c57da8671ab65e73b4f

memory/2452-806-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lIMYAAcQ.bat

MD5 fb656b3fe2357bcf7d44a43f83e2b959
SHA1 a4c3e007ad7ddeb3ef2327809aed45ab31414f9d
SHA256 e66e35a8113487ed2277d41cc51eeefa63dfc410d8f52abaf750dd03f8b37846
SHA512 554f151aa532462719026525ae1ccb8825b9d4cb2ecf873178519985659d6cb07ca88b2a744b049238de7b67c30276aaf724ea5ea425b06b0a8d16c4a3e173ad

memory/960-824-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zgUscgkk.bat

MD5 2bc093dfcc5ed888e192b4f6632c76cf
SHA1 53d9a173bbf444a0ece02a5d2077a1476b420360
SHA256 cd49ac528fd05e03eaa5f8198c4a8cd514731807551d93449822c1715c5d2b0f
SHA512 7803e80e2f0a0c3c940659a7aa53070157b3b365d2cc9652dd2ed42afd75d102674f7897752900cc864c242f78ca82f82f999f249b775f6e4982a8cc713fe65a

memory/1620-844-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zOQEosoc.bat

MD5 cc9dbd44bcb9d6560c9016eb58564292
SHA1 ea48c761d68fdf0e3d6ec86cfddee1002c90d754
SHA256 85606d51c2283ad2ef558dfab31a3d65cd6de26a5e83ec4a5c9f79b2b63c74f7
SHA512 b937f459343efc97f163f64219abdef871e640638f0c6be1d69dfe78f9f34ee0cfed4b26ae2c987599aec38f6c9fce97bc64103b8a53adaf1a71e2aade3eed20

memory/2720-862-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dasskQAA.bat

MD5 35c8b9bbccd623ebcd584b236903cf65
SHA1 6dafd5b49320d2919b897f275219cc2f6918c0be
SHA256 d717f800853afcf7897c5b9389d16bc78ab75e5759faec6ac08325e9b20ef80d
SHA512 70b37471608c1ac9af8e500038b4d6e31b8afcf132d3845294b6d547bf62ee57af105323c65bda924e81b68f6300054a27bb02c7e960f7df847fc2677a24fdd2

memory/1716-880-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IYAcMksE.bat

MD5 6e6acdb8d69959852ed8285a59c47049
SHA1 9fb99ad6df246386bb262f60068ae048be993a32
SHA256 ce887a42a3f5d89521dd32009ccfbb042c512bbf05cd7ae4fe1c7b7e9253d291
SHA512 4233429e2dd5d2431ccdcf7009fa25bb97dbcf12de1eb378926f0c21eefbbc32aef3910305036e733eb524af6cccedd516537cff66b242b1c173691eb9f24e45

memory/2640-900-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UUAQYwAY.bat

MD5 c60b582a488fda95949d84d4f84c61ee
SHA1 b86e3959efb7e8b2a3ac98a633bf4c9c48cd1fad
SHA256 ba6b023f01d1cc0c59cbe6ac4a4841bf902738aae32708da2abed2ebfb7ffb42
SHA512 d83c6315c866b71a0945a0f3c2f90c6eb6ea171075623a2268c3afc832142df69604dc06359c81d15b388f00efd4ff99b6ba283a2d09aed744f6f6daafccbc9a

memory/2216-918-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wSQkUcQw.bat

MD5 fb1161f28fe8a37b41ed6cd7e35e81e8
SHA1 77562f30321cb84b815c54dc59a0f9f2c5391496
SHA256 3d1ae07577a961b00479fb9509a7097b18931b45276e70ff63d51df29c607a0b
SHA512 bd11539eba9844d3bc74028204753c123f88bba4d48f6d5b11a696414e4e56743dae859d826d7020157c6fb5598848783749749d7ff6193e3764cb64cf146ade

memory/2560-936-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yIosgQUM.bat

MD5 7b7bc1816e02e9c3f70f7c3366be9de1
SHA1 a64f460f8edf6145fd40ea670ccf1aa58832f2dd
SHA256 90abe102ab1b5193c81e2ece18955d6838e9d280b466d7c48fedc2e1dcc06690
SHA512 b41375eb57a17e5febfa1d9adcf27ece74a4faa9eca4085b578a4384ee4585b88cc73dcd7aff006e9ed5919a56b0dee8e4b75f110e3643a0c08f5a1b50e17fbf

memory/1880-956-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GEwS.exe

MD5 09dcad3560fcc0966f65a76d7790a7b8
SHA1 29fea96eb0ea901adaf832669482c4cd4becdf5b
SHA256 0bca2fe5cb8c5612cd173aa6411f1a8a0ca32cbfe71c65e6c2ecf33012ed0981
SHA512 c823f4fffe1f6374b0c982cb2da3efb2d2616962fe1578da73a00baeef19d090643fdee87ff233531f1fedb987dd72b9aa19be6413436dd34e2dcc6e4bd88414

C:\Users\Admin\AppData\Local\Temp\SqsMMwoI.bat

MD5 741710b89b90c5230617116f8b0c5d97
SHA1 4cf9c79319de49d207d7380af700cedbd168c32b
SHA256 adfe4f4a69285e9db896c0cce57b79d3ddefae10cc90c88a3c416273089812c6
SHA512 37bd9313caf55a3ce1e9b91c6d72f4ac79822568a8e86a7ba35c9f18abb2213e7438d6c003a09d7f95f03208d3db62059aa2ee366741657537b37caff7cbbc1d

C:\Users\Admin\AppData\Local\Temp\KQcG.exe

MD5 e8fc64e76d96905ca7506491e6228591
SHA1 8fcaf53726959a804ee677b8e1e35619798e998b
SHA256 0c5f5dfb6b9b47e6a4fee4ec4137e89e8b95675adfefa887d1068c1216c12135
SHA512 8d1da1eb0f7d7355fa67843628740a4957bbdfcd6b35628d27387e77a6abd201c20ad877310c3672cf2696ce5f58b7966bc5dcd1b9fc92691e8aed30d98f1b2c

C:\Users\Admin\AppData\Local\Temp\kgEA.ico

MD5 47a169535b738bd50344df196735e258
SHA1 23b4c8041b83f0374554191d543fdce6890f4723
SHA256 ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf
SHA512 ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

MD5 86dd66aea2c084667baac97a5afdc221
SHA1 04e94158cbe5b26f0e74c7ffe74f0738bb706331
SHA256 165303d98e18f632b202790eca9ff348ee4ea26dff7e4660078c6bf996f97966
SHA512 466979730251772ae1102430feff537246c4cb426c13a9c1b98cc37bbb51d695c140c3fa30d57ed707820834be3d1ec4b999a0dd3f63ec9b137d8a9fa2c2f733

C:\Users\Admin\AppData\Local\Temp\oYAM.exe

MD5 d63341004f6ce9226cfdc7eccbeadcae
SHA1 2b1a6cda5dad16decfa1d31cf13dfd0783f6e77d
SHA256 fd38cd514f892647529434e53ee58aed8e43fc552666b97cfd8693405943009c
SHA512 f6fc62df35598eb6402ae3925b6f6bdae92a702ed12906addf31e118a9fd41ff45e5bad540915d2d88135f77605edddf6a9a9f00bf045a6a26cb80217237d7df

memory/2088-1000-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cMUI.exe

MD5 a2c5ffe4a3c8d666673c22e1810f99b5
SHA1 0789b52e756e2b5a039b219ed4430cc761d8f7eb
SHA256 a4d7285b6dab3d8b34a1dde37ac71153039b8061906c61c07647eb012eb2bbea
SHA512 8455cfbca773f85566ba550cb2d216ab5013aca0bd87312dae907e681bf229ae4a64544ed8df4fd50925dae0d8da9f0e3977761db317a3ea9ef9e8d934032ef3

C:\Users\Admin\AppData\Local\Temp\WEkm.exe

MD5 d0ffb985cfe35a77ebaf4c125bbda6b2
SHA1 bce4fe8d978cad4ea4da471db982dac08457775f
SHA256 5a6707443c20a4f8fc1d8d71481de7adad961be2f791328b97915f227ac93efb
SHA512 2aa7c3975cdc206b662a49193cf66c07429c9f10dcb42fd27e50b5ea0da3d4c5f1afbfa8cdf6a033f1d2ad2a352413786516ed7626a1169146cb5190acea9422

C:\Users\Admin\AppData\Local\Temp\ogAu.exe

MD5 cbf2117aeabda7b53c246f7d79195a45
SHA1 b615a52e8155e27a6f32fdc117272620167df718
SHA256 019d37c963987592534a55fca85e2e3867ce6cea2ee1d0f3b8f1efb84116a21b
SHA512 86e8c6ef4a3e1982953aa94d03b8e7647639bb0cb5c7e2f81e2087df2f5f3ae46c9149296c609a57a5596bf86e90222f87ad66ec53370e891ff8244f370b639c

C:\Users\Admin\AppData\Local\Temp\wAMU.exe

MD5 9bd0efd15d81eebe47df4606dbfb53a0
SHA1 83a8054d577f8adc7cf94bddff3df77803f15262
SHA256 a45fa1096092e80a2ddc90fc726720ad702e8dbdbeb8db33b342d3b0d6b514e5
SHA512 92cb693c663822e6b40cb5c5b80c5991c93ed293c04a56cbc333d0a040f20fc44734753708117d4fbf83e6877cb083cdc3abb96c6834f16d2d67d01d9fb9754d

C:\Users\Admin\AppData\Local\Temp\YgEM.exe

MD5 0a1d5a4309007ccd11ceec7f7dc13502
SHA1 2f3a1606cf230a27adafaf440e00f7f88987f1f5
SHA256 5ee2808ebc7d8c2d236fc595aecaf5810a4a146e133befdf1574b12368c5cbb7
SHA512 56a2009509318f1e7fc3653242bb5e2287debe1cc5df80ed196466c13788feeba55a6ca24f3625adf05e776e945e6b8fac1fd055c3ffdf7f49207355f397ebf5

C:\Users\Admin\AppData\Local\Temp\YcMi.exe

MD5 b60ca9f0185843710e783f63535972de
SHA1 c4e4cb0469c48a1ae5f0381768ccdda75ac04d94
SHA256 8b1ef99edf5d2a909c5d88d82ee132292b3c99750df6f46f7405e38a1e3d9d35
SHA512 b4ca6650a9cfa8cbac012b5f9a3e822fdd32fcfca7bb7622be372bcc613405b403a5d0a6bcc59bbf53df55239a84296365332e79b1b701686c2ed976060b6948

C:\Users\Admin\AppData\Local\Temp\UYoY.exe

MD5 5b4d0a920f5be5abc03495ff37d9d888
SHA1 6aed7155f5d8b4c972e8242810990cd095638783
SHA256 e08440de0501126e5e7de3aa8744d5ef77e88fcddb32674bfe8e5452d41866a2
SHA512 f2109375bcab08803a9f242bab91d866794fabfa945947f9bfe68b2ac9a5f58a8d4d2f32b067044c20d5534d7bdeb6be1dcd8ca6fe41d97e1cee0cc2bea75236

C:\Users\Admin\AppData\Local\Temp\QYcu.exe

MD5 bb6e7229565957573330e93b182ee18e
SHA1 d6fcf8b92668f093387268dd46a87eabf802b7c6
SHA256 58667b263377fe42a9ad1a4977a602d6d0b3c9126366654e4d303c236581fc0d
SHA512 9ccf5f64a3372b6670ba181b54282b45701d81e597a773c225a0adabeff6ddd4d718b43f76bddb2dc2e8601a19fe4ec3dcd69331ae93e3d137c98d4f19bb43ec

C:\Users\Admin\AppData\Local\Temp\EIEq.exe

MD5 6eaec3f907654f934739abea2eaaec06
SHA1 fc0bdb7bc5631ccbf5440612da0412471d70b4f4
SHA256 9c5db6df289c4abe5fe843c423b4a28405c3b0438cbf223703cd25d6f5447305
SHA512 ee2fe8a417fcfc141096f8460d9c2ebeba654106e985ddb7a06e8f9af4c652e1432915b0d635a118a3586f39d11190df82a818a66a2180f92d2919f65e34ed2b

C:\Users\Admin\AppData\Local\Temp\iQwG.exe

MD5 b8c609711b56090f3496bd5e5b4a26f0
SHA1 449985b82e03c19b1d347a505e00f205a3b9363f
SHA256 9ed68835ec9de2ac8f90d0e0420f8df470908492c17fb1959d5003c9ec701017
SHA512 205fe406a80f27419f9fde32fb95ce6529426f535e47bba4324e9f4fe13e03ca0a93b4947d66ce766a8a17d5fbaefaa21f323af4b58e699f9eb9d285ea29e74a

C:\Users\Admin\AppData\Local\Temp\KAAg.exe

MD5 bb93e1567a19292d640c073692feb539
SHA1 d29db95eb4d6e6a2c907eed13bb132f8a51b6b55
SHA256 88699781b0e7ff3eeacbae3c6e9cc68774375fb333f596499ac47889ab455186
SHA512 4e9da01bc82b6e56562908c7d7436a6334917410612dc0a34e97923066a6bc0eb50e11c66eb86e6b3dbc3e4c0bbf1f903bb07faaf11f2dc98856568739f608e3

C:\Users\Admin\AppData\Local\Temp\eUoe.exe

MD5 a01a2cb76c039f04cf65932ae4866d3d
SHA1 b939839af8cf273fe98ba4cb22906e85b4d8e088
SHA256 6273b670252108528bb003132a30d3777fefcecdc584c26d7fe9941ff4303dee
SHA512 bebd5e3a94f2db24dbf59664adc6d9553b0a018717b058ed178c04d5ac2b8ac6e7c99a1fe60ed607de1533a7c58588aa0b08d296594d819490a13d4b72fa28e4

C:\Users\Admin\AppData\Local\Temp\kcwM.exe

MD5 29fe1a2264330a42f26730ff926ab505
SHA1 4bb22cf5027cb0441cf17910b009fbb6e2b23174
SHA256 030d91aa840c57d3c4e5b3c582a921400968a726b4e5a033d2a6757532dbf283
SHA512 68ffab30b56475b3f1d7a99b03584610dce475d570e43aa7390cd18982e31c60ec6174e644432c256541271ea704765780aa2d36bb7d05fc498eaee1f68b426b

C:\Users\Admin\AppData\Local\Temp\uEoS.exe

MD5 ed2d0263f9906fe9cd9ee361eb9cca90
SHA1 c3d135fa9cc57d6778d8bcde03824782612118c5
SHA256 9771c03f9001573503dc234545f9334fc72a5a816e6f0c7e721d336f99f2690c
SHA512 f7f9b396674a5b33996a99b0650d998cc5fdf79159343c591e8a1a46a37b7eb8956916a063c967bdb3ca7b01bd6c243a8a6c99815cc7289c7bd1551882306246

C:\Users\Admin\AppData\Local\Temp\cowk.exe

MD5 3a9dd36ad3f02f0a43078b06496fc550
SHA1 90fb59e15e395ff744732bbbcd1e5269dba32988
SHA256 67bb2690459bc9c89a557b280ce89ddfed721d452fc5c0fece1a1ce872a75f75
SHA512 d15ab7bb7a8e26cf52e7eaad16826b78e5eb2f14817be4a254f9fbdc71ab59806b716f45c77a34d55d2953c1c7bd53eef5237f5d71ab8c24dd070fbccee25e4b

C:\Users\Admin\AppData\Local\Temp\IAgc.exe

MD5 c126e2fe21ac05fe5dbc52d9cf3aa09a
SHA1 2be4c45a823262326c0b187f5ea6c11e209f18c6
SHA256 af7a304c6d9268f9112538f5091c3c7aba0e33fbe389afe68bc5761e61598084
SHA512 1d1f4e8a281d7e66b36386e074d43e57d266ea9b527b3186b7439a48cedfdb8a166ba2a396cec6ca67d85b1c735763aaece258aa5901e49900dfd10e0f179fd6

C:\Users\Admin\AppData\Local\Temp\oYUg.exe

MD5 2199b0846142b05391bae24e350003a8
SHA1 62015b29ebe90f553cb4b87f79aea53b76ea2dc2
SHA256 46900ccbfb822b7f743b3ccc785e510a68b5c45098d39940a42ced3cd169c04d
SHA512 58642eb61c0471d009a0d093286289c610edda308336b80ce33f826eac56d653695db95c19adc0b5758ad33d2ba8915ec4955b40cb0a44160023e883a19079ba

C:\Users\Admin\AppData\Local\Temp\gYEe.exe

MD5 cde28ce67d8cd9108e6836187bb253d0
SHA1 b177afaaeb01f9aa7ad1446fe7535746d29656ae
SHA256 b07d36b833aafe8d8490040316c377eebf1fc9f0233f200b866888557f52d12f
SHA512 7e83449ea3996b7ecc698d549168074bacd1c0f26f5e0fd11e58daf72667625087bf06946d8bea31073f31506010218125a7d7442bd7e24468ceca1943a6d77a

C:\Users\Admin\AppData\Local\Temp\kMgs.exe

MD5 5e7bdd8fe738459229fae389ad160d53
SHA1 f23987b55a04dd89ef9b80e3909f7407578e374c
SHA256 fccbb502461d702d2d40edd177025acf8ccbc892c0ab9a8dd62a4286d5d3d27b
SHA512 b383f144e9e2454133a552f199acc9858fff9326dfe86fdf731d1e9b73d7689f7080848a4c8a10d656a9c68ee60d0e0a1688ce86db7353f11d90fc726790b29c

C:\Users\Admin\AppData\Local\Temp\AwwM.exe

MD5 194879cfa0209b2afc6c32ca115b5977
SHA1 a7c562bed289f292b9b85aee7c00783db868e174
SHA256 f785734a584b824881203b36fad9df5551a010da9d354dd5d675250f646f635f
SHA512 0d0550fb0206f7b8e4594cdbdeda0b89638b01d34252609821b180cf164cb3ea40f1120257d87a2f298aee90433b427df8fb9f35b024ed780bf0a04270b6eda6

C:\Users\Admin\AppData\Local\Temp\MgAE.exe

MD5 8717bc11e3b3b4c82e0636ef756f94cd
SHA1 c679d8356d6543e75b51f21ebb60ca0c40a12dfe
SHA256 ded45bd67c4cb19ff3d809180b345ab12fc544a87e1c5b80eecc06ff0ee601f8
SHA512 afd0d45d516576bed3362fa552d07fd39d49fa6672bd97319dc767aa15df4f7794cc5ff531f788123f89d4b79067daa69fe343dac2a4dc8e8ea99ae4d18bc30e

C:\Users\Admin\AppData\Local\Temp\skcU.exe

MD5 05722b440cb04c14ac9f0d9ae7061cad
SHA1 e32df27c15c4e0d8d3a7ff79afe17139b3268d99
SHA256 3397727df55a7e6f9fef54abf72b1081b82c4a841e211af3e0c1c84e38557eb9
SHA512 eba2f950afed8ec61548352f72ef0d2c8b8501c4e167fcf9d91c2be6e15f12d4433c8f3fe08400d02d9a87c37a0e83d3dd94d3d6ec30091cb4930d0e939cc7e7

C:\Users\Admin\AppData\Local\Temp\YYou.exe

MD5 852df8a1d30b520bdec99e1a1fbb1c9d
SHA1 634ee5d1af487bf0025f3185e850ce513fbf52c1
SHA256 8ac312a8ee79fb6674079c113d61ba22026ecf75eb44e20c36c89bde5b9c9086
SHA512 24ecc05660e199f8655508d6978215ed06de406eb162e821f42fb75e52e2e85c1e2da9985b7bfd6fae48f3ec7d994af3b948a9baa52f7081b272c077bfea36c4

C:\Users\Admin\AppData\Local\Temp\Cssw.exe

MD5 91760cbcae78663785d55aabb82165e0
SHA1 6ea467b201fbc801d3f1f71b8d66fc4d32eac647
SHA256 d89a1d000ef87ef7dc85ce7c6dd8c944e14b804bb9fb6dccc49840a421da9769
SHA512 fa13effc94116d510d96c5a0877ee12c61d181311be92e3a2a0d9935a9c48e54cd42fffa1fbf9eb557e71524be815ed8b7f06730889907181464ab0711d08516

C:\Users\Admin\AppData\Local\Temp\CAkG.exe

MD5 759d1409fa1c2c6efd0593f3994fee76
SHA1 ec1f97e5fe3e4854e7b894d3696f183636b2154f
SHA256 1ad9cfaea9feb8b4ad338ffff47669f8de369365ebeb24edd9f1e56aa61e3198
SHA512 41669a9c8623870b5050301b055c1b9a0939796f30b636efbfbdcf3c45fddc36e6020643e0de49b5bb64498368e7106e3d32412632b8a819b48c45f2d3fd963d

C:\Users\Admin\AppData\Local\Temp\KMkI.exe

MD5 41e9000d548d54b29ab564b9541ce74a
SHA1 0b94ef2511372ceeef53fd01e74c3f8e0c3afda6
SHA256 b4624a09c3d5a964569493fd3949c9b3039fe34ac7f2ceb5bcf6e8d83a5ac5f5
SHA512 af12bd8654fecc4e562e10ce8a69e315e9ce4cd29e0e547cce637bd6c4eeb73f2f68507093114bd26079d55c54d85d91fac2e0a7e3659b01ff4e179e85def717

C:\Users\Admin\AppData\Local\Temp\oMMq.exe

MD5 4574972d1c3c76bbe1e7fa47e51fcbdc
SHA1 609ad18ba85e549fc2a038af5ca752451735c91a
SHA256 2a312c9deb2bc1ebf07ec22cfa2e174c4ba3734b94de207d706fdc0a2fd13fd2
SHA512 2b07f217cdd82131b57acbeddc5d71d834aded727f6ccf577a301242b1e27010fdad24cb9380e8d86a5ec4a3d93b13e947713a01308a46d77dbd232170784d2f

C:\Users\Admin\AppData\Local\Temp\OMYu.exe

MD5 f3d223c777766d7b3b82c5ed9f3bbabb
SHA1 7312dfd5024b89dbf4f2fa1511beaa858db9f22c
SHA256 dcd73abc54db0da7bcc552edb9864dca77c95aae2b4190e21d9d49337c0197ef
SHA512 b46d178b8b79458992f7f10831d7845cc8bc0b5e672245a564d3ad4c4200e21c9d9b72aa905c1d1b57bd6f847ec8fea8507cfcfac69b3b00ef1f7f0710fec398

C:\Users\Admin\AppData\Local\Temp\WsQW.exe

MD5 1f16d606e26cc979bb90dcbfb998c283
SHA1 0be044d816cc161e83a9242cf9f1270f2c6d2326
SHA256 a31fdb70453917d5b94476b0833b25633f9f10ace49f7a0150c96a1eae35f0f3
SHA512 8c63164f63b70e49fb8ff287cb80ff46814299d9250d8a3677e125bcdedd084c0c2dd7c63c31bba1356d5527a2077fa48b5799696e29c545788a02dc7e4b74f5

C:\Users\Admin\AppData\Local\Temp\WcUO.exe

MD5 6cf25748888d22487471d66cb7b4cd36
SHA1 99af640876937bebca79217e6caace79df557e0b
SHA256 be24124d42893980436b88f4e3987b51298151338b471e6eca202b3fdbe24131
SHA512 4c579308bd5b8007d17ef8057841656d78cc55f65b21bbe39d49c8f67cb8b98e3b313976f819be616d863c20bd516dd131b429275bb853b5044158f3c91571a3

C:\Users\Admin\AppData\Local\Temp\OAYW.exe

MD5 ae32cec219fc1ca19df31822813ac6f2
SHA1 66997a20c7c2a91f674528683c9638672028320c
SHA256 510586ca3f1cdbd083b9aecc74a206c2c7d47b5aa3bb094ee6af605811587c58
SHA512 02a30f0677c35bc998a1aa122ed713fca2d0e3aadb39b4f050eab56d86465f98d4d8e1bd3aae2ada5776423d11662240626f2d9f7dbbc2157fcd4a5a3111a51f

C:\Users\Admin\AppData\Local\Temp\oQIM.exe

MD5 8186971aab3c324fa482e2d810dca33e
SHA1 16b47c36745e048569ec54e057f36d87fbe9d91b
SHA256 85e246435e6599078f1909827e4af0ea2bfb573bcc9f925bf9d798c7fa657531
SHA512 9be578e28c667b51ebca537eb44a4cf7198df6a49747a889852ca5c6d62d9b22d27fe40189a3baa2975a61b2f4c3ca7428653fe1995d74c6e89f05f955c8f4cd

C:\Users\Admin\AppData\Local\Temp\EcEG.exe

MD5 f4784cc0c266ffc5d1b52d3c3a745d67
SHA1 ecd0a8449ae2ab8b00ee344d63113a08318d05c6
SHA256 d456346c9c8be4d31d2e961d76118449509c8fef03b37bc6df90084ba92da1dc
SHA512 25c5105f59f2676cc76e3f1d75d94a23499f31b471cb865bdb23a50080938de6be787603365e82bf8863174ab7b99c7adabced47128b79df1cce305cf8bd8a29

C:\Users\Admin\AppData\Local\Temp\mcEc.exe

MD5 d8cf9fb67f157d7217e3a1399e8bdca2
SHA1 c99e0676f849bd653950e2733f826a8615e5ae0f
SHA256 a6e639be4af7667adab71e0c9b44c4129e1e7e673f577f322adfd481d69cd4d6
SHA512 b3122f0b870c8b1e6bd0638a09180a2f8145376d614002acc9b562fecd12e44aab8726cb4701210061f4ed8a48e7dd572623a4ad9126de3620ee3a56cc95abb3

C:\Users\Admin\AppData\Local\Temp\OgIY.exe

MD5 21f8e609ea2a451462f6529f7f5151d7
SHA1 3f0c1ecb9e171e1bf0c575a7df073c1bbd6d0e65
SHA256 f5703b98ef4afe478af3ef29d81cae488f1840ce9a35e4309f6d815f0fbd6a03
SHA512 7c47bd05f303b7c2c3d7a5119fdb4b31af7381f4ba0d51b27cee6edbb339bf90f6813ceb7bccfff58d8994b2e539ef5f13ef953c58350840d6f5b50c9a66b07c

C:\Users\Admin\AppData\Local\Temp\EEkc.exe

MD5 1bf0442eb136749ce296ddd0ae5e883f
SHA1 0208cabd6f58a1d0a01287dd8f6507b1b433cff0
SHA256 831070a0bd879658990455a5373f94cc1ab250bd591440e230a40c912f704943
SHA512 8978a7ca09b2c5f24e780cfe771cd320d8f682b166fd517babb0fec355d619f255a3a275302fb4c8ff568e6ab1bab362b72d7cad8dbce3b70980d84ed565a5f8

C:\Users\Admin\AppData\Local\Temp\gMck.exe

MD5 409cc5f789c1947388ced568bb1b6856
SHA1 82edab6a5a2b2ef178ae068475302a18d1b2d626
SHA256 8fb4bf7903bebfde08e3f92f9420c91d79a9e677f7d536e9111c494a062b98b9
SHA512 7c1a29f389031a13df05cad093e5e2de54c23fcc9d41a8cbb5d734dc1cb8455e21a1822fd0e6a6568784c0f5ed4f00c304e045005a11ce3b8b381cb270346874

C:\Users\Admin\AppData\Local\Temp\ssUi.exe

MD5 27d1d579d8b65efa5f33269f12d5fadb
SHA1 0c18aef7d432566e79aa651bcc61579d335debb2
SHA256 a32732bcdfd77b257618696b05378a360294ec7c40738c7c766952ce0b7ab417
SHA512 476c921d7c00a6fed108884315788843873d067714ba9a910d7f0a90b87f94fbca1e411f33a4fb003d1c7637aef5426365eeae5cd980b9b682cd5919345c0e0c

C:\Users\Admin\AppData\Local\Temp\YEEm.exe

MD5 ab762f7c538f363a828bfdec267f99e5
SHA1 cd31f0f605b85bc5ada5c44d0efaa8c9069a293b
SHA256 c277c690899fc305aee0218834240844429af93b2616b9bf7cf0deeb8e3ae34c
SHA512 d9f53e6594df3146b152f6148c2b0dacd85f0a3280909dda03ea6f691fbd9574d3d833920cfc21d4a7b3a9cbc413f3edb107a134a1c9556f22f418b4133838b7

C:\Users\Admin\AppData\Local\Temp\mgUY.exe

MD5 4c9fb452d7e62a6fb34ec539b63c80db
SHA1 dd100f1104f328a59aab1799e087ec65f2910dcf
SHA256 393659895e297777228014f8f50cbdfa702bae8b2f2df781b4c129002362dcd2
SHA512 cf89c4557a47ec647f0e5ed4015e8901d6e14abb8543ec34697f6077c3098005989a1ca1bf43337203f2db9297dc7ad85f4776d9b62115de908b5a9a5e444e3b

C:\Users\Admin\AppData\Local\Temp\yooK.exe

MD5 b398c7f92a705fb2dc670b44273ec388
SHA1 66a953266f87a4748ee0974b6baf5a5746a2ddac
SHA256 5f2f8c911448dc2823daa2c5f31e1f620b979feda075c1177214a78ab997c86d
SHA512 a4b8f8c09f0f7157a331cbfc5140ab67ea8594b69399016c9d6252e1e90a251c01e36aee38efc54d57474ed2810f8d5e3c19b88f9c82b6f55ff4954bf758cd7b

C:\Users\Admin\AppData\Local\Temp\eUgc.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\Users\Admin\AppData\Local\Temp\IsIu.exe

MD5 7c6e7eb7f6e4907f2552c410f48a1982
SHA1 65534f9d76030873e384cd8769cabc5d87dbc237
SHA256 1ad23483a4eca7e8c8a539c93d757a7ea75664514771d3e8d0b676b1f17319a9
SHA512 f6c98d21c97cff4a5d5953d424097d76537d7b6baa55b1e12c17b60f7747649ef17ee9884f398287fa9d0e5374318eece7ecac44c49090d51b0fa4fce2d78b8f

C:\Users\Admin\AppData\Local\Temp\aMUG.exe

MD5 60becb52a418f3546077782f12a46e7f
SHA1 84b2e8d8c11dcc30896105bb3c5fd6c76abba1b8
SHA256 4f9b65015cb86a0b7620533ecfbdef1d78e5b2ba93a2dffe6e6985f047e59ff0
SHA512 0d8ff8688b6366efc80cd1707365b8692ce7c2906d367b8b2ce373829dfdf6675a6a5ddd44f00e8931d504d5d65f12060c0c74591bae15fa863148d95d83b6f3

C:\Users\Admin\AppData\Local\Temp\YQsi.exe

MD5 a0a1a817c5a509f719281a3e1b736ff8
SHA1 25ff49d2d63a3753d2e6ffe5e85819ecc91aea55
SHA256 fd002b8c86c8e46a4578cd5de33793dcf5cfe597f237e02d68f79c8a2751f1fd
SHA512 bcb838fab875b852498de73489d21a0a1a5efdb4a3f87eb11ac279d958d5c194f7072568d4285dea5fe8d41b640b18996eea39044f2a2bbc5cfc3d4ce0316609

C:\Users\Admin\AppData\Local\Temp\OokC.exe

MD5 078ceb41a3cb0516f90a0c067d9cd253
SHA1 ebe9724cb2ebf0f5634d9f5ac3d9ac28d6b890e9
SHA256 45ba74724e133f56ce8224b925f915618125da393435b95ad000bcfced28a214
SHA512 e6fd9e5cfb48eabce6456ba0888daeb2f4602968ebe3f2fec90217325693515dddefa552726517aa4cefff0fbaaac1b24614c333c7702707e30de041382c9b9b

C:\Users\Admin\AppData\Local\Temp\wcgS.exe

MD5 92f406ab4a795e03fd4f5e9abfef2c95
SHA1 c0e41e1e4865fcd5e2213c332315c498bfaf599e
SHA256 1e2529cc46119fc31f618221e40f7bb62ff42aa4ee824d4e30680fde70f20737
SHA512 13021dd703adfa9d5930bf84722c472e6c384cc82326dfb3ff4c492d28721c591c67f9b95524e9d7bd889d7b5c596a373261802b1084de82b3a0d50e23194bb5

C:\Users\Admin\AppData\Local\Temp\AoMc.exe

MD5 029cc0bcc8b8fb166c80dda8cdc4190b
SHA1 4b7c6718c418284e40dc02a8c37a96f7548a7a77
SHA256 b11cb947a2a040593f3a84479c55f1961cfca22e5978f6e6079e325a29e866a4
SHA512 e46e39c23482efcbefce819ea276424445f70a11ee973f8869e6b27894dd809422ec1b177ba3fd7e128911df071c7849ec0dde2dd31c2c778f364237dcd6696c

C:\Users\Admin\AppData\Local\Temp\OkAq.exe

MD5 8f463eadf5b26e531d14f2f1f11aa363
SHA1 44c5a25b21cf27b81c1496e9ba331507a744d9d8
SHA256 2ef9d16aa174a00d475de490386f99494639a68dfdbdddd578a0235fb176bf2c
SHA512 78e31177a90a2679565b21836c9e2c12172004652c9df5e2cc23addaa9043108543dbac83fcb70ad41824905c9bcdee87ea5d5df1fbf3db0e10d10882db18340

C:\Users\Admin\AppData\Local\Temp\oEsE.exe

MD5 49880533e0a2078db2b293b57d49c822
SHA1 2270cf57049a32c4ed9da9da14103f0719bd3990
SHA256 2a3280cc6fc5eef579898db01042d79b22bd1dfc3244ac19134260dbd7db51dc
SHA512 4937922455001779c4eb8fc67f66b2f4dc22d52e7150c3af412660b2b24e1b356d93c778fe9bdbbd01a16a512801518e28b50e2b49e58e7905ece719f5cb8cb9

C:\Users\Admin\AppData\Local\Temp\uQIK.exe

MD5 c73276fee1aea5fdffd54b70f48963d9
SHA1 4e6080cc5189fc8a261d5f9b5d33a83b7e461283
SHA256 49e4acf93a380098bc7e0b30638f7b56d578037f275327eb8880d27ecb5fa76d
SHA512 c4f6a52853b256bf4ff98813c763f51b4e9f851016a36d97e33b42acaf8ff4ba482e750a312f05eb44c94e5eb4b20a2a5672108ec3fee05a1982b661f4e891e3

C:\Users\Admin\AppData\Local\Temp\KsUM.exe

MD5 454f8690392b0d6e358b724f80e03715
SHA1 4db6930586558b0b964520e8284c9261c310fdf8
SHA256 b60ab0c6b596dc120780d9744cb5571293e0a86acf39d2a0959d13fe4fff3fe4
SHA512 204ddf5ece2d7a5e15439b414e4a9b5ec79479cc41b752474a04c56f1ac16ee214ffa8324f0c3c42ab4df52bfda62dce3b67a17b8f70cb52d09e7ca4660697c8

C:\Users\Admin\AppData\Local\Temp\MMkK.exe

MD5 f62e5003c4e0e69d1eee6c6b64573a12
SHA1 ca778762fbd60c1c1ffebea2b51759a2c2198bdd
SHA256 78df0dda232ae88a9b363cec9258cfb5675aa01e32ece3889dfeef85c1388146
SHA512 b26a820d0bcc8c2dcbc9ea8028846f69abc367d7ffe0a7e208c016f305e231a302e511be5915f4f5146f6cbf41cb732c28252102e885ab1253496c8d0d5dc41e

C:\Users\Admin\AppData\Local\Temp\gIwU.exe

MD5 07f0e3d6ef1d46d1c30c680deb3c1d3c
SHA1 d591736f8bc0a6d0be2a33a58202009d6f000102
SHA256 e93bf8279ec34221b9006268d22ee7863d2a61569b7db033ebd45e76c3a2593b
SHA512 09b73c2e83b97f72fd2828cb24aa8e9387def3945c31de2158e12be5f78231dcfc0fe6fbee7c933b1989edc9af2dbb4bd3b2f5cc56acae4c49d0cbfbb472d58f

C:\Users\Admin\AppData\Local\Temp\KgAU.exe

MD5 30e5daeff872c3d7897eaab79b832649
SHA1 d8358b0e0e8c8a428e749477ba228c2193e76ad9
SHA256 8586d5560a7d735cdb1d0a092f58bb0a8c353877ab1f2514deda765723a6f19b
SHA512 dc84794ea1005e5681d4aba1492676dfa968d38812137092cfb72d5a93840e338feeba79fb6561bd3b5582c40c383f3907d1933aacef90433474d3587f916e6f

C:\Users\Admin\AppData\Local\Temp\KYgo.exe

MD5 915435a6160e900843c911b17d6859e0
SHA1 b935c5ec9da4c76e6652fa2c7f3a0bd18e8f5686
SHA256 3f104c89abe5222e105d3d2ff6da34dfc1fa3dee9600f2afccf0e2cf49c6eb7d
SHA512 fab38f5cee9bb3f78eedd81a33d6363d0403b9e486670235bd78c1abfd8c5bb4b9c342e96218c37c88693830f916d4146acc0d9bc48f626578cc414a3ab5deb9

C:\Users\Admin\AppData\Local\Temp\eEMu.exe

MD5 916cf6d03800bb3d863f0caa984d31bf
SHA1 2544b8b6de40e627824ca6a74fee56ffd3f79f1e
SHA256 152e38bfda54238349bbf276bdc5cbb3786c3c3b84e95a6a0c75cc4868c2f01a
SHA512 6f327ede08682b580e23835b7b8e1e89f85f5f82d2ccd2583a8b589d91acbb367cf0e84da41c49c1e3e4e5c90e7cea8763d04077b85ac2289c0462b61a0e1afd

C:\Users\Admin\AppData\Local\Temp\iAsK.exe

MD5 9a2d595823ab1a116ee37039af3f1218
SHA1 2585d162d0366c9608ae52ddaad6592aaa219b42
SHA256 00b53a379625a1dd02ed4d7cb708c83037d9941a23e681c614b9c8bd4569373d
SHA512 a36ee933310cfefba3918456724459429929104b812c07614477d88e68d9643acff5b40e10424887c2edd4c2546c1ccea1cac9c461bf93419b16a7450b2ac65a

C:\Users\Admin\AppData\Local\Temp\Gkoo.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\AppData\Local\Temp\UokM.exe

MD5 4e21ca18f89939aca4d6354c1c9f3f17
SHA1 3baf86a7ceb4aa8cd1866d8f18803167d96ca016
SHA256 d2601f7b5fd61a501c4fa2af7c054ed04e092a7c5629f96e9c521927469218c6
SHA512 b9ffd07f4e8b5654506947e32c595af01feffed11deb9bd6bdd64f32e042e61a04b8abd7b8e6381ce46fc8a3f5b0f4709b773a37ca3e1c43c30b349f6a19437f

C:\Users\Admin\AppData\Local\Temp\iIEw.exe

MD5 ffed10d6aae4089793d337ef5f7b6b66
SHA1 77938358ca915b07504cd820cc7797d2f91c35b3
SHA256 2523dbbc482b7c0f6976dc34066b4b0fe080b45178ebce50b08f13f992f3c073
SHA512 de24d2808be721ec9c451246b2f6d8d80ad769e5198ec37a0f060d74e434d2b21aa60e7cd1f7b7f162ea102daf37d5244ffb5f3b55f89f2db33855fb50207a7d

C:\Users\Admin\AppData\Local\Temp\QMgQ.exe

MD5 c199fee7dd248814c3d25c1b12d720e7
SHA1 0d31f63cbb2d80ceb58092e718576fabc9277b87
SHA256 8540311e21c07bb7ac7b85ff95b426fabf253ea72e6371aa15eea337b21a34dd
SHA512 20c038a2585b8eb6eb6219cbadf0f6de956eeae984606d670212ef2d98a7963f1a259b20374d8c757c9e7cd08a1cb04e2c42c323c0580f22f30dfe84807eb0ff

C:\Users\Admin\AppData\Local\Temp\akMg.ico

MD5 f461866875e8a7fc5c0e5bcdb48c67f6
SHA1 c6831938e249f1edaa968321f00141e6d791ca56
SHA256 0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7
SHA512 d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

C:\Users\Admin\AppData\Local\Temp\scES.ico

MD5 964614b7c6bd8dec1ecb413acf6395f2
SHA1 0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f
SHA256 af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405
SHA512 b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

C:\Users\Admin\AppData\Local\Temp\KQkS.exe

MD5 4c45b8851b056d0e3de6db010ee12df5
SHA1 8ba60049124643e18e709742ce796d7949d38d26
SHA256 0657d8fa81cc0a240f40b0ad70772733121db94b4c8be9e124b04e132c9d0048
SHA512 c0944b725cdd2535a2cd4f50fa315ab85f7b9db4ff2d5f4ae511bcd7e1fbeae0b46d820e7ae260daba28fdd51f556eca7f66de1b6d9375a738bfcb1e1a6d91d2

C:\Users\Admin\Pictures\AssertConnect.bmp.exe

MD5 e92a131f46b55ad2a6c28464c76ea39c
SHA1 c2a2f56e57d59d6dd5c4c12a50a33a556b234a2d
SHA256 ba93d37253f13ce5b2530fd0555bd347e09f6755d29da528845f79e018d30050
SHA512 cbf4b0bc808c1b47d85aa54cc99805ac2370d420d804eaf0c395985cde01d4ad949e1ed38548846c486db93a1e99748076cc0e44e24c8132dd7424dd2eb65a3f

C:\Users\Admin\AppData\Local\Temp\AsgO.exe

MD5 c446a7b3f68f5a7d791386ae32dbcfc3
SHA1 6882d54226e2be88e28f04ad7c4161de9b27dbf7
SHA256 8c41634c3986813461067f54a8baf6257e1547336830f5eeb63e4e098bb099d4
SHA512 20b3bebc3f9d3dc3f55ddc49f30cdab3139674d0c107e92ac940e5a824328a04ccf60b7952e2f87ecd44f921cb5ed65c8cedacc4c5cf3f6a378f1c9026740715

C:\Users\Admin\AppData\Local\Temp\IsYu.exe

MD5 e852f37a98acd6297c5fb5cfaf3e964a
SHA1 11b207cb65c3c027039026d961ad6efd8c831db0
SHA256 8dad218194f850f94c1bf6d2c7ca99df277c20c40eb1dfa9535bde006f070aa5
SHA512 0c7b6db0ea3a57a5e7e500dd7288c9934ad20cd105f8c7d9c555c513e40dc26bfd75a173e1f52575087645b63fc95c3f3169fdc8837a738d91f4840370e734b7

C:\Users\Admin\AppData\Local\Temp\ScsM.exe

MD5 4aa0807b982620e26632f4d61662d1d1
SHA1 a3ca29121da674ceb2a7b0a0dd16f486aa9211af
SHA256 34bb906b91de83d4ed4ea475bfdfe1cbb1c7f2a2624423a3cf24ec832d73f0bb
SHA512 88c1e55e64eb7236e87385832585d4be0163fb9ef5dfe7eac5978094968bdff74ac804bcc81bee2554b236843c0945564766703b956cc13dc4b510d94df8f06b

C:\Users\Admin\AppData\Local\Temp\yAAk.exe

MD5 b48a830e6590ad9b1a96dda0a55c6fca
SHA1 28ebc1b2c35f900d0b6bec452fd5d1dfac03f7a0
SHA256 75c968099ceb1ae2332bf95ed9b34f18411a1b1d14ec2a1fcd3bdc33de2e2a70
SHA512 3afa25492740e1278ca6a206e1523c99943a34ebcf629456c55eac5b82b3e6585a77d8018dc2a6f8d6e8bbc658c1f07970161042bdb527bba057d287d43295b9

C:\Users\Admin\AppData\Local\Temp\okci.exe

MD5 0155df197c166626474606fbdca91001
SHA1 77c8f1324d697fb6383d4b222b3752ba5ed87cdf
SHA256 2494de69da1e38b7e473eccfa2b6a8853ae18d9e9d838d3b7ddc7fdc31906d12
SHA512 7fb4955b965eaf937a730e4c6f62db3b8d3a632bfffe4b964f43234bd0f8af1c21fad03cfd110efe89085ea5e443cb079eee73a7aec55f6234824776e18576b1

C:\Users\Admin\AppData\Local\Temp\Csgi.exe

MD5 b07621ba0e46d32b87338ab194da723a
SHA1 e46920210ac1c7c029b427fdceed1aa378c1c3da
SHA256 05c2b9c33de2eaa9c60067b987b84414df113b9382ad83ceda180028e3df5e35
SHA512 f09fe9c07debb4470c45742b763af134728c4d1fbe7813d7d1604cc5410eb1b213c02129b4017fc751e7643cde0013ac9988b49f090bc8e17d00b02a0fe514e6

C:\Users\Admin\AppData\Local\Temp\qoki.exe

MD5 2de0dafa56ba53d42b7450f237e5c4b9
SHA1 d54b4d5178c146a4c6c9fc5c7e16984c53a3e649
SHA256 c9bfa4be3144b323eebd8094bdef02877b261e28ebb7a7f3f26ced56a483d5c6
SHA512 74a5fe2bdeb289f28c4d86c65550345d51b9ec25674c22511068fbfd9ed62a561e9968060057276e65b877e6686fa26fe34ffc5c290932d140cacce0f7d2170b

C:\Users\Admin\AppData\Local\Temp\IkEq.exe

MD5 0d6abf63ad921c31b013f81e0f9bb75c
SHA1 3c34fb1f060044e6889bc2bb231517a1e93762e7
SHA256 dff380849d45b183f541f8752a1bb334206d0c7cb589463a8da49986bd29e7a0
SHA512 fa721818826c2adc196dd7744a213424bdb83ed210d443faf868c49fc384cd71daca81f6545a2fd4d11ac20966bbe1d0509ba843c0bcd09df494a97c5b450be9

C:\Users\Admin\AppData\Local\Temp\Wckc.exe

MD5 11586c5a4f8dab8ce18a122cb60e74ed
SHA1 39320eaa04c649d56eb655049345c7db79553eb8
SHA256 c07842fbac7f73291d3ad972673ff4feec8f233baf8b039ee59c0dcdc717fb2c
SHA512 4d459e04784d90246c3dc4184a8467f23fbb79365272b96715d26f0e42fef8eb4adfdcb0e6005ead3cf4140b1b5f949b48616088f8499a91575af2a6c76435ba

C:\Users\Admin\AppData\Local\Temp\QocO.exe

MD5 e9a89c51746a203cdb6e608fe91fe30a
SHA1 2d5a74e85ff0eb2cfa0325cab73afd7acf080bd9
SHA256 b3802e73186f056b60d9cf4975d15f6c44622c78ac3f190789b3d14529a5b10a
SHA512 620420e2be175fc90f261317881dbda43023b9ac01e9eaa152009d4d305fe959f777954c4177bd182ac77cd3924fc58ca054c7ae06a24a80a09a218ef4e21ef2

C:\Users\Admin\AppData\Local\Temp\SQEO.exe

MD5 bcb53d412f5a82f8cffb09d691db5625
SHA1 299436f9ec2e6bc6dbe1f5cddccf99fa99cb0524
SHA256 7cb5e9adb7d43266ad998e138c3798216be4ac779e61408cf5977f47d5905c79
SHA512 7ae5c6661d0484f453fec9d3a948c7df9b8d7835219fb151c25a1dac30d12a763d4a1ddba627c300da6350c89417b140515e7ddf46ae63b2613e31baf55e330a

C:\Users\Admin\AppData\Local\Temp\SoAg.exe

MD5 29d07b4ed801ea722834793ae244ac4e
SHA1 bc1c6a0e741f58b497ad24a9fbbd44a43b09a3f5
SHA256 8f77b699d4460012a0f920e9a8e4bdbd76f7312f1cc5f6f59179d3dfa8adfda5
SHA512 939bd2704b2ebdc7d91aac6ac76db6560c49925fe456b1d97a2333c590a7f6bfa4040cf7c2a68be860c01c38cbc17a5ca2725e5e346ac348b2b68b09619b66eb

C:\Users\Admin\AppData\Local\Temp\EAkg.exe

MD5 7eaf510e36048fea7f675dd8afa823cf
SHA1 30a8a1fe6b70fb3a0379305edc26ef2fc62c8faa
SHA256 48cb3bc92f800223953294dc754b0af4f76c6718e69b9bc75b213b87e5a15ac2
SHA512 48665ed4a0bab06eb5b813e0bb6f630a4a5dd14e9b8211d8e848c22d407dee452cf799994c7cf330f7683d038c82be6b6f43242d14bb282fa30e12c68956a0df

C:\Users\Admin\AppData\Local\Temp\iksk.exe

MD5 e0606b56964c957fc19d7ad56ca9d4fb
SHA1 c9bed48c9aeca1aac922fd72d5fad869e1261c2d
SHA256 7954934f40a3daaa09370be1e214131dc660acefb39e1fc93b3cc87e5ed7d44d
SHA512 8e161ba84fd93e21af7bfde0db1247b8f4b0fb0ed0502df1e3948c3efb866f7e2a90e3c1185b25c82558bc6352cc29a6868b7f15184d35fb54001449461100b0

C:\Users\Admin\AppData\Local\Temp\EAUy.exe

MD5 7852b75a88fff4fd6195fd555e706b08
SHA1 1f9485e9ba175b37a6522c596bd3138698ec81d3
SHA256 0905ee676c7bbfc8c6afca10b4f95eb21963fb23390c991a218b46060958b07b
SHA512 ba7db471a8c72d159ea6fb6843d968d3418fb494820c7290a2812d762ac8e1af4fc4ab1b46330dd34cec52d36e8976b839aeaf7cad4e54f8025b7145f770ae98

C:\Users\Admin\AppData\Local\Temp\KsUW.exe

MD5 3a78ea734e070cb15f251f1179e28273
SHA1 9ffa5d8e969bfbc619a0a9c0d01b2f04dd493b49
SHA256 e527cc88d309170c48173f837f9b8474cbfe82b2d6b9df83d909dcd0ced24433
SHA512 fa4d34fb237a63da2142371daca314da149448ce9f043bd49604b2078c7276d6e6927d21f66f7e7e0865d2ea5344537254e94a63e15b7b077e174a7c93cf2b5f

C:\Users\Admin\AppData\Local\Temp\MwkW.exe

MD5 1dee5b4880a260e142f7228cf2963e52
SHA1 cab6110637da00d45ee73a076890fe1be7079b6a
SHA256 70c769410fee422fa550ac34f2e1630b97432ae4decc7ca49b2ae0f19a30df43
SHA512 091c0b1b8be8c8bf72e93fb73b8cd2611b7f00e328b8bb6161fa84068ac7a06c93f1e741fc3673a7baa77db3959473eb93309d6e95ffe1b081d2022adccb43e8

C:\Users\Admin\AppData\Local\Temp\Eogg.exe

MD5 f6f30d9e784a9fd56c917b009c295a80
SHA1 12fd47c3938ffb8f0cdc2d47c0df96087f56aff9
SHA256 6adad15f6ce4263a7581b6e50fc7fa8f17b214593561ce84c961ebf02a6fbb08
SHA512 d4df1aefb6e7d55bc986dd393ad27c4298ce2b08ecdf18ce43a6770cf9cb2c073d1d062f316ff5260dd7e37d4359c1b74e093b73e67b0094e8ec10e0b5adb78d

C:\Users\Admin\AppData\Local\Temp\EkMw.exe

MD5 7131bf1a64fdddc3446d4f86b3467b8f
SHA1 5041ceb72b862187a6385b48178a1c07541983e2
SHA256 d73190d26b8bf80e0b6c95d77b2fa0999bc63be1e9769182ce6b8332a56a01f5
SHA512 14f2946ce262e5e06cfcc421a662029d247abac38dba106b308185f0442109466ebbc867afdecf707379bd4e146e6bb5355d8e77ee54df74299c244b112042e3

C:\Users\Admin\AppData\Local\Temp\Ccog.exe

MD5 811954e22a731254b98b594a0ed33dfd
SHA1 66fd0af59bb7c3a457d7627cd3af99d02443dc1b
SHA256 eb73595a92c4e485492d7cd9bf174ddb4dd65d86b224ebc1090326981c534d7a
SHA512 f71943c7962d0c3f49da126ac0697ad421ee44937be29f299df9d29c4260d6d57033e9e118c6e78dbe4dfeb402bdd513fc396c378a32a608dbe6c399ac0cc9d0

C:\Users\Admin\AppData\Local\Temp\agMu.exe

MD5 df088896f79f1d66a1cdb4bb88e0c13d
SHA1 c40b131aec8e9c6fcced377934252d084ad3d18b
SHA256 9e7e7116fa11004de91db003bad65bbfc4636629a6e5a08aa39e1d79a7b77e53
SHA512 4bf444a0f74529b0bda17cadaaf8caaa094c9d9cb71a99f5891c33b007f629d460ff3729aa60b8706d5616cc298dd66b82b331e33f6c3c8e9fb8905337604307

C:\Users\Admin\AppData\Local\Temp\kIMm.exe

MD5 083c789bddec9bf3fa1585218dc84fb6
SHA1 f3e78aa73c13dc56ac4da3bb02b083a9ba8973e8
SHA256 7e9149cf04958313f9d1636b89b7a97c5ac1e9f2a94e1a1ed4140ccaceda2892
SHA512 4e6deb929d0e1ddab8e217b8121107b283109239a7d223d6f5fcd5a5aeae591280aeac4610b6055a65f5e827f91e460be59d134439a8b9c4c486f42da4f9e2d2

C:\Users\Admin\AppData\Local\Temp\QQgi.exe

MD5 486b2ae9abc3080893af2a34cc5fb33f
SHA1 f426ce0a9c70fb00f7a4a6723bc046930f2f538f
SHA256 41d19b2a1a2f4249219385593d8a9c5bbf0687401248635816d32749af0516d4
SHA512 05b323c27ed67aa31fa48c715047bbb3044b2d40ffe61a3e2c31400c9803d5b7bcece4432e9cb9079f28c8901c906595939975bd8f3732a782586c0f4827876e

C:\Users\Admin\AppData\Local\Temp\cQEM.exe

MD5 ba472318edf0a12cb16450a9aa88c252
SHA1 dc6cf5a5a5aa60254937654b2df53ee25191e4e5
SHA256 07fd4e2e44cd8da53f9a36a0758642677890c66fa4792e5a7cd2d80e4d7c4401
SHA512 d7eb7fe86625302288862e57a07d22115530b6b791a973bf8e2a718be3199ff7003345d43e948b9f83aeacae281b854a3b9d2520515682ed58c2e3acb0d09b6f

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.exe

MD5 5cbe5c177f2394b8782ab8c950d0eb4a
SHA1 820e7b02ccfbfdeaf36d4f943de7709713350f6b
SHA256 f8e08f5766aa9b0485432fecd116fbfd45827e617855b7f3050723c29297fe64
SHA512 757b4e2b0025d7b9064826f30fb30358a633e0b2ff84cdef39c44f2afdd29e39b2a0b774cf51e0b1fe01dbedd0434b9e28be1e55ee11be1ae9af09593f931f67

C:\Users\Admin\AppData\Local\Temp\YQYo.exe

MD5 83f0d185aafffeaa379786d7f279d1c6
SHA1 06d6a19d745046c48876cdb40b4e8ea359e932bb
SHA256 dd5d338239fc9cd657cb86718390efbccfa88df63efaf40e83fd0d6ec863abc3
SHA512 4c4066fab158c1592a8bf8cb9acd52d878a2bea9e3bb44267c99f23118ebed234d5577d5ddd1aa54b1cb9e3b39ca798636ea83645a0c571f6c65b1c9126dd052

C:\Users\Admin\AppData\Local\Temp\Qwwq.exe

MD5 ebaf19cec245ed8e067262becd1d3178
SHA1 8886c3f4727a98632a67c00ac9292d990f0f48a7
SHA256 f4f5ffd1f1bfb03f4bf261f168759b6ae6935bb4db81787320000692c7b2a50e
SHA512 ac5d15d49c9516eae89eb17186d647477e06195e1641bcb3edeeade5ecead21cf121a19c0f4dfa08ca7f6e57ea9bba19d10a19f696f2a49c748806ed13552173

C:\Users\Admin\AppData\Local\Temp\CYsA.exe

MD5 f68cad94d06ff2193e085f876c396581
SHA1 818256079d8e9de610183b9c5e215f87dc4b5b13
SHA256 ecbe3b3ffae590eef6a67327d4f768ff658097c004f032dabe175f901529a291
SHA512 b6b6cd79d125630d167b5f61f9cef93ef5cc743b3756179fc84696970e0e3a8582d4bbee9b3a3a25080fc6edcd71f248352eb50821c172f5cc7fcf9d821ec19d

C:\Users\Admin\AppData\Local\Temp\OswW.exe

MD5 5fe11397ae5e7092eb8d0d2dcd68350d
SHA1 d29575ed02c9752e678838114b710ed23d1503de
SHA256 7e74f11b0dee864d9ab7c5154458ff6c43541ad009a283de4eddc54e8f7601f5
SHA512 90263d2e718ea78451cf61b27aa0bbbc7af6ef0df24f62eb9a38360654716b45427ae0e884f69ceb56ef5ff0b236ee202947455f3d86fbe8940ea03ac67602ce

C:\Users\Admin\AppData\Local\Temp\icYu.exe

MD5 023b67c1aa12a2052a0a377be961662b
SHA1 f221080b7b84276a5bd4adf873573de6685b4f64
SHA256 4c1c697a0e0cc98a84ce0c32aa9ef089161e2ccee37f98d76ef81d9215d2a270
SHA512 467006135cbf9307581e5c176d193a8d0419fe74688d3c2cc1db1b5b8597f43619c09f0a4f178544d3e5244641d3a6ca1a00bb780ee5d5a8546a59020d62fdeb

C:\Users\Admin\AppData\Local\Temp\igIO.exe

MD5 245de863aa2b01f8564b1b6f3f2ad06f
SHA1 e4bb73fc39fa83a47122062ec1614155d3934763
SHA256 f5d859d65a618d33153a54a8c45035bcbd840b858c803c3ce2b22878c2be1336
SHA512 dfc315fdcef3c57e67ffb72441161697c33688cc3dd37c6d2687dc2df9864d426c3f7d9504031354f158ec8edd1eaf36e37e8d1d1e1b5c85f03e05eea2185f6a

C:\Users\Admin\AppData\Local\Temp\scAq.exe

MD5 18523c997721a67d1f3eaeb531ec475d
SHA1 9e8e74e25fdacded6c60b437ba96e9105de55c0c
SHA256 8ff8a2a16ed1dbf36ac4e6a8c884f9ad9026990dc16a2fe5c5a4b3045fe5327a
SHA512 8d74e984ea0f843f269d235ee5da252abdd358b05ef00bf09e2ddbd5bd33fcbed13d6338eb8c17a4c16d6a4dd8906e46467ad47676e2a868c9e76498fb5c4f65

C:\Users\Admin\AppData\Local\Temp\MMQg.exe

MD5 68ce30ba5d9a43c2c23b615d5881a0d9
SHA1 7d122007cba5a57892bc9b53ade13f8e37b2903c
SHA256 4d495076dad089aa142b1ae4c613f5b1dcdd21ceb704e7c5eec1deec3978bdab
SHA512 9457d4d6032f134cb83f733dd097869a9531a419f00fb701d3be8fa2aa5705feae1b3cada630929028720fe7ce89eae1328d3132dbe84e52fbcb0a43d024e1ad

C:\Users\Admin\AppData\Local\Temp\GIoS.exe

MD5 e65cf6107a8695ddbce9ee688431a631
SHA1 164111694b7f5e6ef18ff60f687b3fd4587efcee
SHA256 aa75e297b987cc79cfda786e739b2815a1fdd9009bcf33221cc5ecb64cfe826d
SHA512 1135ff9954c5d3370229f48148cac1b42d07f49de808403f9123ebf54256abc68af50cdc5e24ddfb8d0f40f120e7bc41c7827a366adba0f79dd4570ef02e1396

C:\Users\Admin\AppData\Local\Temp\SYci.exe

MD5 cc8b98b68d4df8f4fab30f0f1521eca1
SHA1 4e094c92d6caba7775cddc75070679f2c1c1febc
SHA256 77d6aaae022f96ecf163857c17e01e80a4db93dd2b7770e5bdf10ee33014e192
SHA512 149c07af3458f08f4d8e2787f49cee272be673bdecb46ed59352cbfc9746734aac98c79e158491395d61ec4aff171809854edebe42bb80af7309dbcb5267deff

C:\Users\Admin\AppData\Local\Temp\mAgg.exe

MD5 904860aab2f019690bd785ba59820cd6
SHA1 9a07e258846209c10589acc6a97c18fadb5b7b71
SHA256 7146c9ed10c4b570318d5142533bf0731f6beb9df26bb60d28ce74b2f4235ec5
SHA512 b14aaee948308167b191abafcf6f590f725d17f8ccc7f13c352af6634897ee94c494a308e4e4a19b5db453efafbe8996affee792c2bd259dba338d12627d7d56

C:\Users\Admin\AppData\Local\Temp\kIAy.exe

MD5 2c754280a409534224609959e130402f
SHA1 b67d1de7d7c3f6c51cebc2c3c46467e6cebbcb33
SHA256 d2931ea55a104a73b9680ec156f62e9603a4459946a5686f575e45d9e1cd1417
SHA512 b1f769604a93e8275795760d8e54e783d112595ec6099cb5bece3da3260ae4704ae70396ed4158768e14c3c171110172ba7621397cac77e0ae3efaf259f3e0fb

C:\Users\Admin\AppData\Local\Temp\sMce.exe

MD5 74c73d2d74c03c47588f9eda729fbabd
SHA1 95f56ea435705ecd696e5e125bee1dcbc90a07a2
SHA256 db6389c8e9c53d59a072bda0d1bac36d89ee644b0c425549cfc73282e294dc8f
SHA512 c6a8b252b5b0d458e2af00ef6a63336712c1e561ca8cc05e7b501330b07afd026388bd76bd63839725b8b8aa595e75ff14f83492e096a2f8dba5cc67db039aa2

C:\Users\Admin\AppData\Local\Temp\awsA.exe

MD5 ce961d1c345cfc61ce5e56da8ea36500
SHA1 313bbe7ec6d19cdda141e2b1630a2f5ac8fc7758
SHA256 96cb5fbfb86a80ce48641cc2afccd02997004736953dad23b854f497c7d5b4e6
SHA512 55993d850141e516c87ca95148820b1ce9a6b9a5a957979685ce16f94bec2e83312677d8fe69f9f91e8fecf9c50e50b95368b9b1a3f5177d6202fd91ffb2216e

C:\Users\Admin\AppData\Local\Temp\accs.exe

MD5 0ad5374c8578ad372c32efc792b9d82a
SHA1 c1e6737b66304bb6fa06da13f6e5a1ef945c692f
SHA256 0c67a0467764a1fd454cef97ebd2098ba6946e76004e278e0080388d56cc87c7
SHA512 515f2c80d95f77edf17db6dbfa2860a05e1edaac118a4ae87c38f123dcef419ee3f0473e7cbecaf06d8a25c8234c50b4d1bc935ae6b9830fc2927b92af5b101f

C:\Users\Admin\AppData\Local\Temp\UIgI.exe

MD5 32261dc8fae4b995e961815a8ac5ba37
SHA1 d9d276580c0cfeff6a74ecbc1fa327956be4d6cd
SHA256 01bd86058924b54509e967c20caf3d87b6eaf2e626f01c357ac8ef92a1dee8e7
SHA512 63c4ad39b73a1070bfa474b17f891100263b51069f1eeaa8e8793e92f0b19c13ad2423fae9bf334badfa45440d3f73dd0ee4fe8aaf8ced956a10449699148f62

C:\Users\Admin\AppData\Local\Temp\WIEE.exe

MD5 b77554593816762ff1b4d2999e5fb247
SHA1 cc3f3efe85b6756f87440380812a2fb0efe45232
SHA256 ff7e186964e399926bed2102c31df346df78bb2e2f3100c8d42c4012bcc48218
SHA512 4dcffcb725ea60f5d0bb5c75b6f425f2a27fce6035c1542f38add931429e230de5ab0cc66ed20907f499ba9e6c266798f956b6ee24b2b867938bc0e33b9b6da1

C:\Users\Admin\AppData\Local\Temp\kwkM.exe

MD5 50f9be21b6aff3ed63b66d4d25971600
SHA1 f98d93e1aefc901e662a92641020068506387798
SHA256 7a3d691bf89954a49543439e68fb237c5584e37882689e2b3d2c67ba3f99af2d
SHA512 5998273fe47b080fee1a969408ae16046c427b5a1d886b6aa557c9ea2388107a1ddaa280add2d2621fd96bcb938123edb90c80955f48929482db8940a7e7d5fd

C:\Users\Admin\AppData\Local\Temp\KAQC.exe

MD5 7d591be4f64d6a7e1c34020ffa5bcce4
SHA1 94fcda879fcc1067abcbd610038b661f90809d01
SHA256 da8555ba2a5682900222e7974c55ba127b07dd06513fb7eb7f943fad7346495e
SHA512 7e566562f4a51902cc84edd02a9f5095613e2315ce6fd3404a424c41054726e38bafb050d4e88c36581bff0da160688186685fbcd9f20008700f61074bad1807

C:\Users\Admin\AppData\Local\Temp\cQcK.exe

MD5 2f1b3842b7850fc448f6ad1b7d1b9426
SHA1 a6a5240f9c9232d90f1ec587984f3ff800a82a1a
SHA256 788010db805079237ba8470a1519beb5e70e6000a88725cd9f57ae03a9583727
SHA512 62a6a429f61146a43267a02cc28a819759eb50e593e5560e860e7fbb25b484ab2b101398e2a9d8ae17cc00519a2e096c4a67e0400bad040e657ceae1754663ed

C:\Users\Admin\AppData\Local\Temp\WskK.exe

MD5 319da184e64f047133cf0d4ec06be4aa
SHA1 12a2b55160dfc282ef942b2c0b10860805c48fb5
SHA256 c0ae6d3fbde7aa6b6d36a3eefe792c6b3c9b47e5cfda1f5cbf56c501c0369ed5
SHA512 df38ce207681280cc44be8d1e73f13b8e49f141c2a1b5d1c97fafe56df627a39881d9f6f4b5b64c7cc2d8b4e22e511425ebe46fc260dc25187a91c3d1a3aca1a

C:\Users\Admin\AppData\Local\Temp\kAko.exe

MD5 fe51421e3b5af7810bbadf0391cbc84e
SHA1 4ddfb71b293d46a70260d06514c8afa771ae0efc
SHA256 868c981b63c0e51d10de1e88fb8f272fb956f1d41d6ae76ef3621c7e80c0f0e8
SHA512 3228b655700676b632516e0ac928a23b4e6e9b9f35009e7610860617f2ee708f9cad369e002f845d17cd2b3dcc86e9d3006648d8dcbee68d0ce173f1f47cbc84

C:\Users\Admin\AppData\Local\Temp\SMko.exe

MD5 896345b3e7dc93249ae7b471c49cb3ba
SHA1 f735d57ffd9e2487b68a6629c3afef4cc9ef8de7
SHA256 51f57ebb82a9af16f8938b1bfc9dc9f32ec5e78198ab9e3e964e3c8326e43101
SHA512 8390c2d82b005193bef0aa988eee5db79251dc11c4b62fb926b30e566d2e9ec9b4e017abd502ae1489484e3126597465dd5d229fea3055e77f4d340e9131d2d4

C:\Users\Admin\AppData\Local\Temp\MUYa.exe

MD5 412454663a7047a3644e1a4dc2043cec
SHA1 a8e642be9f617792898f96e2bdad56c72ab1224a
SHA256 a9b8767b995c24e73d0a84f0b0f62379f93a08c36b704c5aa034229633ac2ba9
SHA512 2ec81eaa22d21158cebf52e8c4612707f283bd6d97e795c138234722ac01126eaf0c39b2249034270f9746ed2a7265e7d3cde53a9fe6172bde799e79d3a04f8a

C:\Users\Admin\AppData\Local\Temp\mgoi.exe

MD5 208a17f5a6b386422640832123ad2a5e
SHA1 aa75df77d9a0f5681d22c3de6cef205337f9f1a5
SHA256 8155d5d1fa1fbe0f77ac8231dd4ed7f0f41f0c5434648cfadf43d61b614be6cd
SHA512 67dff15382db4f6521b0d6156f6fa61f7ba735539a9d9005e4051c40441f94e9704cda3ae9c19b0ae50d41ed1fa82f1542f60287ba95781b46c1c86e81e15d9b

C:\Users\Admin\AppData\Local\Temp\GAwE.exe

MD5 8641c1e58033a17b88e5aa6f8d53bed5
SHA1 574a4b1b5ad0a9525af3930e89d833843cb8da76
SHA256 2421ceaaa413ac4e24c6f1ccadf85099dc34765dadf41a15aaa632eb887fbbf8
SHA512 74aa32c00fd523c44430af55b197f68138c720f42a3ccf97451c8d21ef325ad8f47205ac4eb928729badf9b065d900e790f23ff02b7a75ed68e28b8b211a74ff

C:\Users\Admin\AppData\Local\Temp\AwEC.exe

MD5 b8c06b1ba08a69333426095b771e77e3
SHA1 1424e2a82d26ed248adea67c04b28f40960febde
SHA256 49caca9614f428fefe2d53de98f7203e2597b9c2ad28338d6c0bd3531cc8c6a2
SHA512 56c98a2a8ce67e415bf38786e3c530d75672b217df69d11641c51a7e6e8e3f612797963b52e22f84cb609e7c65348f59693e3ca044568a9accd640c421956a5e

C:\Users\Admin\AppData\Local\Temp\MMUA.exe

MD5 adae31c558191db9e0a5f9385b9102b3
SHA1 5bb3ecc5aadf3eeac926ca2970448f28592dbf0a
SHA256 6a837e81a7e4e5ffe2ddca6e9b2e3abd468faf7cd56040e1d305fbf73eb8edba
SHA512 64178c76dc774bfe38945014e675179812ab7d1c52161380787765d93e93eb02bf955e62d306ce45d8c48de499bcb55141d0530543e2486750f54a70485b8c9e

C:\Users\Admin\AppData\Local\Temp\wMQm.exe

MD5 5f5131472f4a967d8503fd9a5fa9f12d
SHA1 ce53796b61913265af093ba48ef494b4468c2b47
SHA256 e67d6848aea7065c8fa18ae8c3f53566e8c231cd785d3d73b212d48d0dc6e5ac
SHA512 a1c17c5524f3e4191d2c7611cdf3f2757d39c6e79fc9cddeb9d41529b89fa828712f48d23e3419fc03e8b11035ae4768ea6537d09445b7f00497175be4893aed

C:\Users\Admin\AppData\Local\Temp\IwgI.exe

MD5 fd0317e837e77886bb61a63f5017f7d2
SHA1 f42ac1ee504054d04f408fbd7336c1fa425349a4
SHA256 178d4fa589ce8631cfebeb55bdf8233dad0ce604af66115e095918f9162dec39
SHA512 0d391debfbcb9fb27d892bee77bb96678cd878b2f704ba90535d91cce5b7791c7a32583cbd6bb50c8a434fa9213df2bfcf77f1940699a326edc7031513aebae6

C:\Users\Admin\AppData\Local\Temp\mUYe.exe

MD5 2fac0fe18e3b934518e3af04d0076ea4
SHA1 2d026d15b758c92de49fa72693b818cee4fd6c2b
SHA256 d32827a51338d3640ae0e6a8b397d7d669b27a2d855f96f87a776ad3d5b1b3ed
SHA512 4c3da5f92fa1b8f23722064b731faa3ea14388592fd7f5bd8c7819663072ef820986eb0ec73e4d5f0490a7eef860bbb535439d885464ba4cb1d5fd5605001a20

C:\Users\Admin\AppData\Local\Temp\Qkkm.exe

MD5 56d3a3bf464ab5e032df406b9ceac589
SHA1 d3d46c01138a85a54821bdb87e84914ccd2d5f1f
SHA256 1d45a38aa0990023e76632b992ac9ccfeb58d4091620dbe1bc67ed2c75580a52
SHA512 7ea2b973ac6a3c01c4e58c84075363b4a864e33cf21f218d6d4fa9639b956885f33307deabc1ae9cb2ae5cabda55fdb6b4dbc902804e83d10a55d147e30bab6e

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 11:34

Reported

2024-04-03 11:37

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Renames multiple (72) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\ProgramData\ecgoQkUI\POQUIsEs.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\POQUIsEs.exe = "C:\\ProgramData\\ecgoQkUI\\POQUIsEs.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EScAIMcU.exe = "C:\\Users\\Admin\\hAUAwkMM\\EScAIMcU.exe" C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\POQUIsEs.exe = "C:\\ProgramData\\ecgoQkUI\\POQUIsEs.exe" C:\ProgramData\ecgoQkUI\POQUIsEs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BUQMoAUo.exe = "C:\\Users\\Admin\\DAMssswc\\BUQMoAUo.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HMAEgIkU.exe = "C:\\ProgramData\\noMAsIok\\HMAEgIkU.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EScAIMcU.exe = "C:\\Users\\Admin\\hAUAwkMM\\EScAIMcU.exe" C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A
N/A N/A C:\Users\Admin\hAUAwkMM\EScAIMcU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Users\Admin\hAUAwkMM\EScAIMcU.exe
PID 1964 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Users\Admin\hAUAwkMM\EScAIMcU.exe
PID 1964 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Users\Admin\hAUAwkMM\EScAIMcU.exe
PID 1964 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\ProgramData\ecgoQkUI\POQUIsEs.exe
PID 1964 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\ProgramData\ecgoQkUI\POQUIsEs.exe
PID 1964 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\ProgramData\ecgoQkUI\POQUIsEs.exe
PID 1964 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe
PID 4924 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe
PID 4924 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe
PID 4776 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4776 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4776 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3032 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cscript.exe
PID 3032 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cscript.exe
PID 3032 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cscript.exe
PID 3032 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe
PID 3272 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe
PID 3272 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe
PID 4228 wrote to memory of 4716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4228 wrote to memory of 4716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4228 wrote to memory of 4716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1856 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1856 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1856 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1856 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1856 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1856 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1856 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1856 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1856 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\SysWOW64\reg.exe
PID 1856 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\System32\Conhost.exe
PID 1856 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\System32\Conhost.exe
PID 1856 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe C:\Windows\System32\Conhost.exe
PID 1948 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe"

C:\Users\Admin\hAUAwkMM\EScAIMcU.exe

"C:\Users\Admin\hAUAwkMM\EScAIMcU.exe"

C:\ProgramData\ecgoQkUI\POQUIsEs.exe

"C:\ProgramData\ecgoQkUI\POQUIsEs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAwMoIEw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IoEYAYAg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCoAswEY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEcogIQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCEYcAEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuoUgEok.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mecccwwo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYEAockk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XokEcEkk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FIokEEoo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UggEAUcg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwUgYUcU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NCgAAcUk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGQAkAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOMwMAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWokAIYM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RigoAMIs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwwgoYEU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiwAswsA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asoAsUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZcMYEwYA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FesgkMgk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Users\Admin\DAMssswc\BUQMoAUo.exe

"C:\Users\Admin\DAMssswc\BUQMoAUo.exe"

C:\ProgramData\noMAsIok\HMAEgIkU.exe

"C:\ProgramData\noMAsIok\HMAEgIkU.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCwcMAcc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4944 -ip 4944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5048 -ip 5048

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwUAAQcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 228

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmQwUEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIEscYwA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKoUMQsU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKUMEQMc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyAoYgQg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QecgYogI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueAogUQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgwUkokY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xQoMksgw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMoAkcEs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yugogYsI.bat" "C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock.exe""

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cscript.exe

cscript C:\Users\Admin\AppData\Local\Temp/file.vbs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3772 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
BO 200.87.164.69:9999 tcp
BO 200.87.164.69:9999 tcp
US 8.8.8.8:53 google.com udp
NL 216.58.208.110:80 google.com tcp
NL 216.58.208.110:80 google.com tcp
US 8.8.8.8:53 110.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
BO 200.119.204.12:9999 tcp
BO 200.119.204.12:9999 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 142.250.179.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 202.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
BO 190.186.45.170:9999 tcp
BO 190.186.45.170:9999 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/1964-0-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2432-6-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\hAUAwkMM\EScAIMcU.exe

MD5 f9bfae7f0c9c90757f17c5448c5c5085
SHA1 8a3df05f7c1f0f0383f257aaadddde41e29e0259
SHA256 f37b5c869fe50aa2ecbc33085216c76349a161b89521ca05c73d39eda2b3793b
SHA512 8ef57ebeb21de310017676016c3cf21ebad09c4c8b39befe164f545e85283c0e88e1a8f00e126c08e79d01d0392c73c903f50bd7f680e6b199f5bff8a7d15ee5

C:\ProgramData\ecgoQkUI\POQUIsEs.exe

MD5 6a1a750ede9e672ccc49778c3b7dca59
SHA1 9596a273ef06819ca2fe898bad4d4e0d6f9cd3de
SHA256 7ea61d03df32479d095f39a1f6b30f03ca6a2b58ba9d92d0ac9a73128c57ba58
SHA512 38fac2d593dc3185c16ded99d4da99010ce8113f205232dc8662c189b4d7ad0a4f13b3ea51197bd00338bc2da4d0906b45a1670a30c2c0fae47b092ca6dbe1ed

memory/3908-14-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1964-20-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZAwMoIEw.bat

MD5 bae1095f340720d965898063fede1273
SHA1 455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256 ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA512 4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

C:\Users\Admin\AppData\Local\Temp\2024-04-03_6d632f83ec89a2fc92ad238f512e63c7_virlock

MD5 bdf926b971c6dacb62c5c764b548f850
SHA1 daf9c28f324a1b0d9886021ad63d84b468cbac20
SHA256 8dd31725432fd800dc2ff4a95567e2d8c8391385686ad0fe88bc480864e8ddda
SHA512 cd7b29d5edb69d0c5642a2c6a7632509503956be80aaf8750f505673bd2c3e5200718412a2f43c8071ed032a35f78480db17d17138de19470e0606567db3f3d0

memory/3032-31-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\file.vbs

MD5 4afb5c4527091738faf9cd4addf9d34e
SHA1 170ba9d866894c1b109b62649b1893eb90350459
SHA256 59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA512 16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

memory/1856-45-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2904-46-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2904-57-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4204-70-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1172-73-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1172-82-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1936-85-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1936-96-0x0000000000400000-0x0000000000436000-memory.dmp

memory/316-107-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4508-109-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4508-121-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2392-123-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\ecgoQkUI\POQUIsEs.inf

MD5 dd5daac644f7e78d96bb936e484428ad
SHA1 a40b76dd4716714f3097df345737015ae4493da9
SHA256 44eaca7a0d7f14d7d370145bcd8ac6dcbd0dca0452df491815d838979eaa328a
SHA512 ef1357b8a4592030eb689e54f1ae276552686d705b261b627cb065f2c1f30ef329fd5f216bd33468de2b42390e495ab335c7ab0d0338eeaabe14d0b9603a0652

C:\Users\Admin\hAUAwkMM\EScAIMcU.inf

MD5 d3fcc763eacc2ceac5dec08dcfc27dd8
SHA1 b501ac90a467202fd61ce2db14f253ec34cee8d9
SHA256 3d689b02929ca791311a350009998116eb77337cd7614d232999a0d08d222246
SHA512 6c371b5e445a4a18e7452f09672c106ffbb5739093134abc646a46acbeade62dc18d96e8eb61acc69d0ec9cd7148cf2f96128dffc018a37a4c63e2c343b697fb

memory/2392-136-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4540-148-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\hAUAwkMM\EScAIMcU.inf

MD5 06d355254207d73fef278873195f55df
SHA1 ebbb73f3c0b32547665b41b6aafdd57a6777082d
SHA256 38d20d510dc92c69a31d235f059106bdac2f79dc4380b68ed336b210796a7a98
SHA512 0c4ab7445ea90ce639114c0e4358f871cda5630176105d4abdb38a5bbde466c37b5256429f5c2e985f90774788f65ae4d1c1868c72953462d1b2dc13b9903f63

memory/1624-163-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3464-164-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3464-175-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\hAUAwkMM\EScAIMcU.inf

MD5 edd96ca094ce394b8a9c95b51ad1ce9a
SHA1 80448695290c93682970b4612e1603e9539a61f0
SHA256 03ebbb6d6a90df2d93888c373dec3e60aa31e1fef65c7ad0ffcc5c68772d55f7
SHA512 4fd74184e207784a8d576e3a55a784b90a759162ee65f38e80899b95a36565d30d8261856d04979391e64bffc057c484e2580756ff45a6792e6b11cb0550822a

memory/4760-189-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2356-201-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4672-203-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\hAUAwkMM\EScAIMcU.inf

MD5 a48eca88ba327af5bff2525b16cc89ed
SHA1 2eeeb1b09ebf6375dbf5747ad2d30ae5ef845e8a
SHA256 9bc0be17bfb2a6171b8d6c9d22251a4f5d89a4bd2a1e64d6000e80fae28117c6
SHA512 0407794b3e05614600ba0e92e00f22c4a67be23ed841bf5487860f86b3c2af1d5ddd87edfbb8d5b57333e68dcc20ea9d2f7c3cee6f4c78d48acc11027b3562a7

memory/4672-217-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2116-219-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2116-229-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2220-242-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\hAUAwkMM\EScAIMcU.inf

MD5 c858aff09e9a8e4829fe18ef7f058c04
SHA1 5fc6157aacbe0bc03286db56ca5f312f36acc6f0
SHA256 75b9485d9afc45df102b5285309849956c1473c896ca4a10ac93c83af64c24cb
SHA512 031d419d9596b61dfb0526158736fc769de74b01074949b0fda845af2d214b5d7e8a290367bb9cdd4665403110df5774aa85c2ed401ad77e2a52398a5ff39268

memory/4092-251-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1936-252-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1936-261-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4736-263-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4736-271-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4016-280-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3640-281-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4944-284-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5048-285-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3640-286-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3184-296-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3968-297-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3968-306-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3484-315-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2836-326-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4944-322-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5048-327-0x0000000000400000-0x0000000000430000-memory.dmp

memory/976-328-0x0000000000400000-0x0000000000436000-memory.dmp

memory/976-336-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1200-337-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1200-347-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4176-354-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4668-356-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4668-365-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2384-366-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2384-374-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3744-385-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vgwa.exe

MD5 89c19a774722329eb78ca70ef802a7e3
SHA1 13407cef1c218d4dfc1e66f7d40cbd4f82dec3b6
SHA256 748da5b63325340380c81c33fbdfc5fd1b52010733f8e312706520b413961faa
SHA512 29f6a831df6deac691a83c7db7a37a597ab08b8b409869ef264210159dacb49d0cbaeb0a5fbd00da57f50c1377d8b8e765a3353069343438bbbf6e421029fbfd

memory/4520-400-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4520-408-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4480-410-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4480-419-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hYsm.exe

MD5 5d33741b0aee90c60bb8ea63d7a3d90a
SHA1 652a733919efdbbbe0b71532f87c8e4927a96653
SHA256 3a334ab5ae604e3c1a7d9a8b841a6dca07dc49c072d0448c762e4bd91e975a23
SHA512 90b251be080eeab5f9c1b6a2882aaf8bb1c76976090749e34fb8604b1121c23453f919b1da8e31d89b3b5fa11408835a64fe3c4f580d260b4fbc2d26ba57413c

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 8276051969adc83689a0bb30b74dcd83
SHA1 abc55f2d7697fdcb5252de913e060873d913fba9
SHA256 024e10a19bdeeb09ceb0c1273a74d256548e1b0c8b11b553830e12ac566fbd9d
SHA512 5d4743eab15380732597e60a00a5c3b14e44e37c2e4f9885ccd252047d296811ddd6a88ea604bc86fbf947b3823ce000d4dae16fc46752a12b09719da8d33d5f

C:\Users\Admin\AppData\Local\Temp\NIEq.exe

MD5 cfe680f9b82044a38c257c92006f19f8
SHA1 e0e3a79b56699ef605fec18ef0a5aad502f33fb9
SHA256 4282b7c27e67e9201f5140ba1cf9ceaba9c69b2851700614a313d0900cf4c3f3
SHA512 4d4d6c84f33384d9d5a90baa1970612bc15a281ed18a952d37d8ab6bd392b8e256e04323024486a78302b3c300b852b49ff96c46a9270b173992400782eb21ad

C:\Users\Admin\AppData\Local\Temp\zAEG.ico

MD5 ee421bd295eb1a0d8c54f8586ccb18fa
SHA1 bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA256 57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512 dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

C:\Users\Admin\AppData\Local\Temp\TIgA.exe

MD5 8f377040dd33256fe85b00b69a8ceb5b
SHA1 9bc2b368bcf640a37e0b1e37109ade1bd258462b
SHA256 805dec4deac17cf2030a08249e530e485c8cfec4adaf907299593d86c6ca98ea
SHA512 e5250a345214146d7912e1e76b8324ef637fbca38d276402d4e6657cef3ab56eadc824a19d43b0a4bbee72ce2d2bbab1accad9402d37cdd05f188aab1f0f1916

C:\Users\Admin\AppData\Local\Temp\DUYE.exe

MD5 150fd29f397affd67b056698f32db891
SHA1 b651fc10a8c9cfdae61bc201d16ecadcfbad3f73
SHA256 722473c729c3ce2d4c659c8c1a9c005cd1691bc8564ff7c64835bf564b1d5afe
SHA512 7bec8b9bab61059d587cca45df86be969e605a518ceb7b4253c7042477998f410d22f6ecfd69b8a32f3c35c4137cb5ab62a3fe60b30e6e93c721b50eab0fb3f2

C:\Users\Admin\AppData\Local\Temp\UgYw.exe

MD5 e9a00499eb31982528a02cf398ea6894
SHA1 dca32a63c8eefe40cd39e2de93f1bce7d095aed5
SHA256 417671d751fce64976ab4b2c8e1587149b395cdc789001ce81a2ef94461b73bc
SHA512 d421d92b2c41cdef957c00fb0e5a97f54738ad785a2324b7daf3cb23b7df2ff25b6184c9fa7736902dbb1a361e7ace284dc19b1b2d8fbb78d8c071ab8eb5e55f

C:\Users\Admin\AppData\Local\Temp\GsEU.exe

MD5 fdd7de453a3d20b4cc0ca67b86550d00
SHA1 ad16f01775278ecf23c5e329ff59ad26f33fe446
SHA256 94e58b366224517b9af44b4803c15a22b788a4d5f4965caceb778acb4f38fb2f
SHA512 7fe359dd70644586f80958917bd3785e47f61f82e3db6dd75854e56cec21cb76945423bf7e8fa01807eeed9165733eb2ffaba57307d49d76b2d353c82deeda99

C:\Users\Admin\AppData\Local\Temp\rsMg.exe

MD5 38b0707f43c0c07adbe142c7f4a7d3c0
SHA1 b68c2ac79a67a50f7ba60ee310736b0438250913
SHA256 d639d3ec240906566ad928354c873300789ef45b3f0d8fd86db858630b52197c
SHA512 79407b494ee17d7464504245bd40e7e7b3df5468502a55ac5dbe6a4fddb0addcf6e815a8cbe345f7dfe0aa3e0234c382f3c42088a58bca6c079702623e0ebd73

C:\Users\Admin\AppData\Local\Temp\wIAG.exe

MD5 9cbaec8946a9605f08fae132a31be971
SHA1 c2374bc357cde5488d816d606c39468782436b73
SHA256 818804d17da7b5c8c3e842d7ff0e8cb6590c1a8a128de9d508551339507fc8b1
SHA512 113cb6e72b8f75d28815e06fe679e3cd33c999f7834076ed733131e0038cee38f6951d639a602c106f803f24c14005b2bd2b75db044d525f3097ceec20bf8186

C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe

MD5 6d2110fb8dda3beff68467f65171421b
SHA1 786f31bfd03a87fb4a2a07677109bcbec92ac183
SHA256 c4adeb2addaa001a1ca1a535adaf00800f2e26595310e78b75e1d65854dc6355
SHA512 d1760d6192d72442ac5eccf38f366d6eda21410d146e5da7bdc88f7493e1881fcff7169bb539729abc2319303a74f493fa9a908948c49a6be7bbe08a084bf5ea

C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

MD5 302c3a1512d077dbd4ac5fcb037ad122
SHA1 b3e9645d544b9333c42012e5df66fd5ad643b994
SHA256 3b30bd82b90fd27eb3516bc372b5594c2374f3d55d8e5b20bd136b40086c08f7
SHA512 c3156281ae85777204bae845836d84c3ceb270539cc12454b600e7631ba4240c2d7c005ed2aefa3e49e67b21175c5b81b392e5c02620a053bb61bb85dd9bdb8a

C:\Users\Admin\AppData\Local\Temp\fMMW.exe

MD5 a6677fedc6d51b6040471f635e8f3d1f
SHA1 a6e8454b4300ddea3907bf46c73aca4d599980ca
SHA256 97c5e89bff21be2fa11eb4f003cec4fec5b3ac0b3076f330789161a21368ebfe
SHA512 9e3e4cef52ffda764fb50a90987d0671eea8d42aa626621c32278a75c6dbc9f9dcaef7b2e7420683894cd2e53715941373d1a8b430d43aa49fcbdbbcf3fc8ffc

C:\Users\Admin\AppData\Local\Temp\tose.exe

MD5 3f41da344819f9c2d5056fb2cc2a2682
SHA1 78840a472f8f310bb6ee19f142c91661e44de261
SHA256 36cac718434985af3f4fd8e212f430e05835ec76b467cb40240500f8634eb9cd
SHA512 5ee62a40f7da59a2d83009ace8ad1d4e949eff9af980c64b2d518ff4c718398d868382c7a9f4d997ebda78370f5b01286f16fd76b04b7ce987fed8068d1be076

C:\Users\Admin\AppData\Local\Temp\TcAC.ico

MD5 ac4b56cc5c5e71c3bb226181418fd891
SHA1 e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256 701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512 a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 c0bb7baa2b13641493a5596c59d76398
SHA1 d8c446c390df24726813423f2a69ab171e0f5236
SHA256 b039568afa91b283118d361f477640ed1d7c4f551db1ecef8f0fd514ffbf99ce
SHA512 966f2b63644d5d6752f029515516118c0604950a71765743ccf6b3fa1460343bc5d084d4c78a5eba77ada45a71038754417000e663b778e6a9ecd637ce57911c

C:\Users\Admin\AppData\Local\Temp\kUYo.exe

MD5 89e9599464472946257472a69688f382
SHA1 394be6ff9965997acb385c32e5605dc3a619a1fc
SHA256 04d4b21dbfc9303beadbf6b7b439b9a1386679b31fac90ca5b21e5208ea8f6d3
SHA512 c078fa28e64b48b93e315176f01cb3378868e7eee93cf73c66c3ce8984d38dcbd904aed7156c968c3bc2a42a7872844bf4e4ac1a4784cab30a74564afb5994c5

C:\Users\Admin\AppData\Local\Temp\uIkw.exe

MD5 645a7e6e9b26ca483e7e1da705c71064
SHA1 a13ef0b374f8c18a43f503456061c8516f0be49e
SHA256 83ad55ff8f3d743877d09e5db7f3f4f2111878de6152209c953b2f60c15f2599
SHA512 c7d6a4580feaf188d09e5a3fdff0b226336eab07c1064c89c5844824d173e33a996ec4dc69558e27a6d4fda4303309e6b9866af5a14bdd955db7020273f0df47

C:\Users\Admin\AppData\Local\Temp\LAoI.exe

MD5 89ef1919f9ebbc380a448c0c1d99d472
SHA1 b2c3e458b1dff13a0bdcf163fdfe6de148ad71ab
SHA256 705cff1ac50951fb2e30faf55c7dd371b89f26ddcd2e8f71eed76d7869908071
SHA512 cd0fdf7332123eac1562a0af4b2d849f45fdca2479269399cfe37a75626258f7b6d3c2d7ca625545af8606f30fe22273a0f6abaedc8ffc5af292e0b148ce10ac

C:\Users\Admin\AppData\Local\Temp\Hocg.exe

MD5 dcf43bf350d9a6dd17dc7562d3188dee
SHA1 b9bd0ae867ad3a711eb8b969d1a6f0d3f8489280
SHA256 958bc854c2ede522e5a3bcbd41731abebb62b0f8ef555308f4268a36825894cc
SHA512 c55264211a9766cea92e98488c502853da56b4fa0393265374850808f77a2c69168e4361c1422699b36d68f5d58ff99513267b47f00ccb8caa29a7086ce0b395

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 8eac53669a6ef3a9b98381eb98752ccf
SHA1 705a5e2bc287b9c96bb8e303d25659c32171efb5
SHA256 ff66580f3613c849d957f3e39b2cf449c717d34bb38ab04ea5533add0371dd6f
SHA512 138dba4b026b1f54400aa4a0359e0c7fde8be1342b956e0f3b756f4737086af3684c23bb5dcd3b5132f3cb9076bc64f88af45c0ee741c1f1317374b7f1d24999

C:\Users\Admin\AppData\Local\Temp\hQMq.exe

MD5 572260b260b513e0d8f5cdd0fb9031fe
SHA1 09a0cb207f7d1f821d0dfd6eca8a1d1f94894df1
SHA256 fe0c06d5ebbc97091c9b4627a42a68f74df94f74c8c0e28d6f6b0dff2833b714
SHA512 de412f232ceaf014d93c202b72a08a791277e86ae37627bde0cecd0145e3fb9def49960a7503b0485a81d59090d29deb100be280029ac42f9ad61ef1f9339bda

C:\Users\Admin\AppData\Local\Temp\TQkE.exe

MD5 fd0653a6eefccd0937fcb072db965482
SHA1 3c428cba276221f1b1579b5f1dacbf1d2b0f74a0
SHA256 5210017c6e58385e627359b11d6f8900f03304abb843981fffcf9571587ddc6c
SHA512 261f892db17657dc43679b6300ab5a1082e6a3c391292efa7b0022c24f26f1e2ce4b0f49e9d07387c3557a3f28a34164b502644c44d036c984dda1652656d740

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

MD5 506a45d64b3ed710cb19f7a0d4f52a55
SHA1 29ba8ce3081286e5742aeedd346c14a663e9bb1c
SHA256 f96763241eee3b5391b75863df0ee7c7f990db97420936156ac1a8fddfe86d33
SHA512 e68ecadfdfbfe0fccf30fe30009687428ac408134b23dd97adbf24489ff2b8723210654c752d062893bff905a11a04345509767d11a7c0b9832b1c50734a80b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

MD5 331f8dfbc22adb07d5217f011a56cb34
SHA1 d075b4e4c0b9f64e72015a04898691d47166d6ac
SHA256 aae629c6657b6e1726856df1bb9e517191368de2f4c53c82879986945ad8d8b9
SHA512 8601a45b09f6dcf45be8f5756d15f755419d32ff054fee7ffbd07b6be0d80a8c1db39fb08627d411d3d5de66b33c95ec6fb49990debcb034531833bda1c19629

C:\Users\Admin\AppData\Local\Temp\BccK.exe

MD5 59223a1a7f36796d4137ddf1c884e6c3
SHA1 deeaf47be0bcc63b3e3b4eec935fdd35eac5f4c7
SHA256 39277b3958fb07f305eae5799ce6fc31327a69bc25c8ac968f0fa133c1eda19a
SHA512 d2cee6d24f7d3bb8afd8257fcf787c77ecca2c8aabcdb1edb429172b530ff0bda8576a3012c7c78a4338cd4f339dbdb87071d93f1a773694e326a13976cd20db

C:\Users\Admin\AppData\Local\Temp\zwYe.exe

MD5 919637de55af43540bcecb95bcb56c2b
SHA1 ee72fec0fc1ec8934d879fce16fc9e854a3389ae
SHA256 5d890d626c558dd7490dafb12e5d34b4a9a12735341915fd4980de2571d0d366
SHA512 87028b7a90582170947503304b0f92c588907496bce0ed51be5526cd4234ac3351179daea3ce254643a9ae754739ea6e2e45e6768927b94f5add7985778e2894

C:\Users\Admin\AppData\Local\Temp\uIsu.exe

MD5 e8f4ec85a6fedf78a055180d0bc1445d
SHA1 066b2e3abde42abe94c95a37a6fb593ae95306b8
SHA256 e627622d37145c31b3df1a859ef64cfe96cfef32f3bbff560394a8f2d8b883f5
SHA512 6706d47e24536eb0bddb84b21c0565ddd0009c30b03ed82ef32a683a801773f0c7f5a57697aa93ae6ebc745e99605d83907d095dd1f2153a2e8ef8ed0bb7c960

C:\Users\Admin\AppData\Local\Temp\IYww.exe

MD5 51aa436b75f0a930f9f75285ca454e52
SHA1 da71ce9d1226fedbefc2d14529e966dac18cf271
SHA256 dc0a6d1ed03c1486c4c593418185850df4a3f2975d33744ac6bac601b5cbadb4
SHA512 23ff5b81c892f27f295204cbafee2b8716de5cedb1c1ae62e403a31f38a2d2f594fc245593a0b8d1bf9e3c4300c9778404c0f1b84c8429e98dcf5cc0f51486e6

C:\Users\Admin\AppData\Local\Temp\jIgY.exe

MD5 a28431ec4d35597e34203d141b6d3fc1
SHA1 752cb497b4daaa8d1ea7a42cfbf2ee9f1598d80a
SHA256 00eba28e2ff1cf4331a18807c1a04f2892d7fe40a507a769906e88a0667254db
SHA512 31cd87d71b849650d5964f9070065f29d0fce5ced4bd92bc23e0f3af2e48b0719e82c1aaa9dc00388b25a80a67c67c691d6ac5d6608b27c1761420ec6aa62ef6

C:\Users\Admin\AppData\Local\Temp\iQIq.exe

MD5 43c63e9c901571a24e29fe8d4a0649c1
SHA1 f3edbbba7748f480ed7aeb02ef0af0e4d1e60879
SHA256 774b170bc0b3541f5ec85ab74f50d378576b84af24a2a3ed22e43bd20b3e1f28
SHA512 7720b8f3a82ccf0f1881fb98484781bbf127b357c8646014e705a9d05d8b38eb1aaf6ee0c77a34b42c80132e8fa85cf4935ef64c49a26a947684ad029962974f

C:\Users\Admin\AppData\Local\Temp\Fkku.exe

MD5 f4dffacea0972b409c1cea2e7c206640
SHA1 8b8c5b93c428b6220e738f6d64fc500f64f5f0e5
SHA256 cf193d2ad1451987fdf4ef5135f999225d60045e92b56ef9066f14cdd1493533
SHA512 26cf42d97d3e60bc463fd8289712b9365c517f4b21f0fbed159c5d05790083ebf3f8c1a70f8076d7455db704597cf380814bccfc78ed598597cf5a4b16e2094d

C:\Users\Admin\AppData\Local\Temp\NkUy.exe

MD5 e4f6e71bde886ec5b7ff76e742cd77d5
SHA1 6bcb3b812f9b5cd43bf232d7ac443d29cc3f018b
SHA256 914a83de6c96eca63e7e4beaf0d77ea9baf2a37d5c95cdac24ca961f10934843
SHA512 3049ca2373f52e211a01e6065571a98796d36eadf88c9f73e81a658186fce50e2a598695c32e6c90ef101d18415e5cb602e8d0260ad9bf837fc6d6fb5b7d2fa4

C:\Users\Admin\AppData\Local\Temp\jMkc.exe

MD5 1a68d147f681df658b1a6da00e88658c
SHA1 8a721935e7fe222d5b29479e2b0e5420ea4bdef3
SHA256 ed26d651a5ba116c77d6ee2424622b5bbc8be3d151c5e2e52fee01f928fd2734
SHA512 bf59d0db5b28d864ad34e0e50f1de6f16d5a9be2117a512ed06fc4f83b6cdfb80d8912fb13ddee9962285df0bbc970c46dcf28686116f4993b30c2af27157cd7

C:\Users\Admin\AppData\Local\Temp\DYEY.exe

MD5 421c5bbe662101cff388c7a1f8dc9512
SHA1 cc409b6232adfd07edf21f7d80fadcf180a6ab60
SHA256 d46296e7bb60eeaf00258c49c40444e81b1e2d168b257f790b8200850a058d93
SHA512 b0693c42356966c8ba004fa9d0c6700fd0a83e24049333b4e64a11cbe264c7cb3db4005b330b2ddebee9dcfec3814adf084725390fe7dc249b64d9905aac9716

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe

MD5 c986f3a143318a21618c7852997e13c5
SHA1 29563984ea4659ab93ef71e379157aad2b157c01
SHA256 cdf76dc53455a9d78e7c1c1403700c49c5766e5deb8d1ab019b890cae87030ee
SHA512 81defae600de22973fb4d4583d80aa97822b52bd4a878da0e2b8f03e0c6c88ea882a52103f7580aa8efe59e60b89e57a097b311ef9ffebe8a6fe39a9e22d7b2b

C:\Users\Admin\AppData\Local\Temp\uYIK.exe

MD5 0003ce82d15e66684c283132e07176ae
SHA1 66b89a376db74a095bea74e407073e4e387aa840
SHA256 8d08b14744ae5464a0b01bf143dad3a5ac0f47de578933f7e9a5dad1feda31bc
SHA512 049be16473f8c86d68f947c76c94e4519c662f5af9aa8b69c1a0c967624e6414a53c07ae7d4b79b3f7d3b4afaea0008b93d6859433aaa7e9d04d679b371a8ddc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe

MD5 408e6aa6b03430895637dd77a2db8e09
SHA1 f96520193eeef90fbfd038a26aae9cb17f7b893b
SHA256 fb368b9eb0efa250ed27a40d79e43152c3be9fd902d63f5ddba963204b817ef9
SHA512 b7266583689576a4d1b8b8740f01adeffc0738381edfc32b5dd52b11fb637a8e8a47e27d0fd761e12bf0f86c7c158061d16dadcd430eededf97e5dfd24d3a5f5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe

MD5 90ce9423175b68d84c8755bd4c659254
SHA1 aa8019296b918cc6f3225c0fdfc422cb8daf7104
SHA256 3c59d7832b97a5621f8ffeff03fb71300c6bf66922a39fec60ff11418f9fd9b4
SHA512 33e083ff734ee8cc81973489e6815e60e1cf488298a2627d4b9994b0e874687281a3fe730d0fe0c6f0a6985f5d01c12c6d4f1bfb5c5439f0bdf287f70ef7fe5a

C:\Users\Admin\AppData\Local\Temp\cIEw.exe

MD5 52780ed8255af2b03a7c6cfc788f6a3e
SHA1 d37d1ca885d42f265f1ddf49b7be9dbe3a07cf1d
SHA256 741e02036b9f03bf7a049efbf0f865d962775c1155cfd03c09f1368c27f6e2ad
SHA512 69d6e7c86cee4f6fada09b613b556e60d5a1abd714195e61a53256d4a16363c9efee9c00693ccafa083dd0a432bd2a4752f1a50ede0163b82221a44f0425a21a

C:\Users\Admin\AppData\Local\Temp\dEwA.exe

MD5 f7ff62d81edbd4e19164495d6a0c38a9
SHA1 eafb29c713eb94908f094eac9299edd09b6dcde8
SHA256 f4dd65103f0bf66770684bd21be04617af4502ed208393ca39b7ec01b27813ae
SHA512 08ba12ffc2455c31d5e1bc4b743d283f4363af13812724f617c689cbeddbaf7268398c7ab45180d6a1a08df408807570da0d756b0affae1a74b25007de3ee53a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe

MD5 8130c01d7b4dd242c3756ce02c858e14
SHA1 1f424acb091a94257478c51ef3b64829473d33fa
SHA256 e547314a564ff78744b0b3c3487238cbe584173b13efa8113e2fcc50665587de
SHA512 3fa56a65bb1d9da21558525c1c536d705ed5b1f3e15f975febfe6309c6c4bf2a1e780b0b311d3452f8d7b98511028d1422fc6ab101e38ed680a62af859df014a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe

MD5 72303e554c514cf73856e31a1088a06c
SHA1 8e7124f6a323998bec4f3b9e43f7cab52a2e5c01
SHA256 4afeba9345ea7d325e113ad20bf50a5103aee185e7c6e1a1a6f19b8ced54b287
SHA512 0c1a82c076f8542d26cdf80fef73fadd1c7ce6a270e953691f49769c7c33ce8e6d218accae4630966ea48de9b1a09903c1ed3a495f771df11ae7cc1c4879d399

C:\Users\Admin\AppData\Local\Temp\rEgG.exe

MD5 18bc7e94ed12184b49d0a7ec19decd59
SHA1 c66cf08f7b149268eb6fe9bd19c96b0140074270
SHA256 64732a7d91a7e480ed4e392d3ee4712eab41cc83c006420043231698d6910afd
SHA512 e06bcd2b19f9fca3d9f7d6a8cb36d6ce30cdb89b580e2a1b99d40485d7f0db20937fe7e9a389df8165728701655359b4d4c0b594f472561d4c08539783da8343

C:\Users\Admin\AppData\Local\Temp\xEgQ.exe

MD5 d41336d9a93ae409408e2c0a9fb9c461
SHA1 8363360d5889e2095b70666acd5a51e1e999b823
SHA256 94cbb9233d2bfad7583cd1c6fcdca0c7f4ee92f7ba9ba5686e58c3f2a461d6e4
SHA512 10a1db33e63d5ff8588a668f9296e6fa0e5994dbf48bf2784efae31c02fa8105156821b4eb6f34e3d3fc8f0dda2d43f91d3385e1d6484cbaa1d5fffa0c391253

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe

MD5 96a222e660992770bab9d2506af73f66
SHA1 57e230af9a593aed0422d80517de11f292a5c54d
SHA256 cbcdf931d06f9d669d29f9c43d37edfb83c9aed67ccd83adcd4ebdfd07567b41
SHA512 ea55e93e5079c8b56fbf671775ca5e46b8045d420eb062713bae48545bb15cdb1c047a686551dd32f6e46d2890607025db453d5aa4c7b6ee526491ef8f18f408

C:\Users\Admin\AppData\Local\Temp\PgAK.exe

MD5 c36b9db971b547c96183ecd2a6438a53
SHA1 e724b9ca3e5a741716af591dae849e93252be81b
SHA256 0f9a18b59203d9e3982a6e11e64589d3d7ce3708512cb336f543e522a9e871cb
SHA512 095af89ad12602ad83c244636caca4b6904ad16961c11120690445212464d43fcbd54b2a44e9806aa6435649c2c1660a37a27803643610cc22b99768933ccbd8

C:\Users\Admin\AppData\Local\Temp\LYQM.exe

MD5 fade8050ac9e04bdf4d6862eacf7e9dd
SHA1 ebe25e68b7058a326ec66819059eec4615af5151
SHA256 91ebbf1869380d2b3c4f5998b7f628796a3aab2612085c54be4c723d9301631c
SHA512 720a4de5b5b8e91673be3ee4f81da3a905be65863c1c0d3b8a9bf01eb4838cc21e814be33dd6cb5af26cc866d24914ea5f5372f60946288053b3b785046152aa

C:\Users\Admin\AppData\Local\Temp\yMwA.exe

MD5 8739decdacc4d4e1b5f9447cf1b0230e
SHA1 434c652a09ffd754f3132edd8f44a276c48b5ed6
SHA256 1aaa8394f2503dc549c1eff14ee7014c5919be024071807b24ce80b6906f6e7f
SHA512 6d2f718b99da94dad62df090e6c7f6e956bfeb5cdabf95e5fbe6fea9cf7efd9fb7be603546b2af8c35a39f9614bff647c112e7fbc994f62033a937a960ccdbe0

C:\Users\Admin\AppData\Local\Temp\RIkY.exe

MD5 2cb950837dca1a8740ea4725adcfac14
SHA1 2c760fbf63d3a545b0366c734cf48ecd6d3f7a1e
SHA256 ac3323e6685d6af49c09b2d56245d414e8a441fb8f832538eae48d1a9861fe5d
SHA512 f3a18263c3ab8ddf05f832696f308af417e4a8c95fedfd7df2a9dd6efde8140af4d00b58ac9b3cf5a487f8baa29970587d2bfb4a9ced281f2e69c723ca4eb9f9

C:\Users\Admin\AppData\Local\Temp\xEsI.exe

MD5 d6490be14eea9dcfe3dee88e13a75d38
SHA1 f32da2d22754524d6ccebb0bf0a9e118fb2319d8
SHA256 449d723da5b220ed506c3bf1c2e8c8d8b2f60850db8986ff3dae6d7fcbedfe89
SHA512 1e6dde091d47fb565fc10a8fc7c0ac1e9b89d3144d06e6c9b5ca46343ec323c1c1e11f17cc400c75b07d2ca02a6b3dca00a407ed9e934b907e72877241eb790b

C:\Users\Admin\AppData\Local\Temp\IQcG.exe

MD5 2f9d515d8d320896230ab00840f1d146
SHA1 d6f3da3587c1f20ba3217b59a257cb9d1677b909
SHA256 0fb1a74b6950e70933f88937803ca89fe5eb85ae0a05c8e5f9d8bdd7802dc5af
SHA512 742b7b670dd731a60b7d2c61e981cc82c86ad8bdd5a1a8c5224141afe22ed3d5da7b2cf15e2ee037508efe8404f8cfc32bdf5384527e7c4eafa3554c63aee8d2

C:\Users\Admin\AppData\Local\Temp\JgAY.exe

MD5 cdaeebaab9e054b799d75a089ff7648f
SHA1 c88ef008be01edc61169f1dad610f6d4585edb7d
SHA256 78bb4e97831fc8df3251773cf4b6492dc8b7d970b975c08d15fd8d2e2b7abdaf
SHA512 40dcb8a7d347cc670c7d9e2c562ec8af0496958d3014f2d612feacb231eeec33c0e8a4e59483cd45965d87c6a40bfff9dc29cfe02c37ce01b610d8b07c9adaa6

C:\Users\Admin\AppData\Local\Temp\XckG.exe

MD5 c7c1e5ebab959089f995b0ba114a82f5
SHA1 438ed6433906a298b55cdec7b1301d7d968d2a39
SHA256 696361f7a84218a341f30231dcef6107cf38f2b93d7ed4e7017b7a80022b0cfe
SHA512 065e1a985a882f0f95af779fdcf95af8e1dcd438f90d2c849fb6c0cb4604368498f8d7f71337c456c78c011878d566cf93dfb256d3a91f78053e515c72c69bf8

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.gif.exe

MD5 74f6dbac06be2096ed449eb4ba4f7a37
SHA1 95d0f4b195f1d9454d3f3a35dcd5b443cc5de749
SHA256 26d5fac1c4722080492c64bdcbf2384db080f5c2605c741337613b7095a3f112
SHA512 43ed8bfb4c55855c966e640844f21c106d2e2da0ebe94137a2103ba7f2ea208875e55f4eacf7a352c4630afdd6ee85f503b30159a1cf39dbf5450d4278d0b8c0

C:\Users\Admin\AppData\Local\Temp\uMkC.exe

MD5 34ab876c0d06ac09727441090c8afe25
SHA1 f64db003a929f27d4e6a8983e3c534444125f342
SHA256 74e04bd338307da7a41ff0aa559166fc8e6d347728d77aa014d3e8f961bc446b
SHA512 495acd6d0461697adab73616233352682d742362ffbfc894375728aa643ae1a10e2a58e13d920261d29427d2d79ca49e241fd8c5f011532bb2bc3ac639ae7134

C:\Users\Admin\AppData\Local\Temp\IQkK.exe

MD5 cca4317507ad1c581479cab7d203cee3
SHA1 7ef342f471ffe1d03136891b7a035e514a74ae32
SHA256 45935d3c50f839f9a5d3c97a9a61c01047abaf83ecffc8c493d5275a4647dd53
SHA512 27447dd5ada5c9911e41d61317912760583e0d85909447e519532a01aa83985e3edf8724bc08207f54263aafc24c6b0d1d4febb2b71b2e873391c7adbbaa1acc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe

MD5 b717bbbee47d11c81c7577ac972ed37e
SHA1 1b37a30e1ef89240d74832f220f065b8cba1c1c9
SHA256 59353559cb5a816ed13e01bbd8cd0780594953934b828ee05a24b520b0d5c2ef
SHA512 5b21590c15ffab34cd22404a6bb92ccb3f242ed1fde84c1b72f4d402dc3f7817ea00988cc5c06f8a49423e3e1becb33cdaaf4e255c4cb3d9264a0690b236211e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe

MD5 ae391e1781c8a92be3c0fc3f93d8a847
SHA1 b5f7d69cca2ae58b5f15c0ebc1adc04c3367f93f
SHA256 c2eb15fe9bd690c8d8d7c45be07fa9c2eb2e0f1543aebaabab41f520aaef92c8
SHA512 7e40366b0f7f586f69e06cb349060cdb04d6e56433ca19e082cc6c7fcb7f4fc5bbdbedf6296fc1ef32f9bd19bc6acaf6f6b791dd08402117481a334845ec25a0

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe

MD5 6ece490777fa9990b8c88f11c1a3c3ff
SHA1 f05e0d635812dfa340ec14c7a5a61a3b0d8c639b
SHA256 425e5ee50896dc702273bf4b4da0978aec584445774fa7c04252913962645a89
SHA512 f7e698d9cbcfa00cf933343df5bd6000b5672b887bc176faaeb05fd9ac021433fb0fff1ef247eebb0333d3e67a5dfc9a22f1ea477cb3be7817105c752f22c278

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.exe

MD5 e77eb8d924222f0bb0f9a6f8dff42911
SHA1 1ff9f8f4c0d961dc901f8935a4c1084b379bc3d6
SHA256 bd102d5dedb2bad485f9dde0322abbf839e09dae67ad021c2562f63fe4ccd136
SHA512 e7737ecd226b7215c90310e4a08a8bcd8a8f4516bf9cee7f79df044bfe1014812950354047d2d3310f60b44d9075ce1bf5056890c70b33c11235152042c6154d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe

MD5 9ad9bbd4e1ec0fefe64c8ee881ecf4ea
SHA1 70fd2fdf62b049b929040902947982af568458d9
SHA256 85265f14544eb521c840aefad40fb3bb17146fd1117466d66897b65a79f92f6a
SHA512 a24c5729c1ad1eeb3dbb831013014af3f12e0b6190bc4d3b232d054bf31521a70840a545ada4150cfb96a6ff7252b1bee92647e814342b3700bb7b93432eb3e5

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

MD5 d76a01198b954f6a87ffabc1b50cabb6
SHA1 5a2f7ac383adf80a4ab346c946d8594242de1119
SHA256 ea3e3de0c226d3927b1bb4900ac5ff9542cfe0e8f359f03076896bfdb9e61719
SHA512 8fa6c90770afc4d18bfd71e5226205ff7938e38c56695584e24673706523953436967e3804149db8dcb32f5f80ffd53cc241353d17e1c62e7add2434da360f0e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.exe

MD5 e780ff528f7340f64507ec523376709d
SHA1 75ec6164cda10c30254710f227603dd7f0e0fdd9
SHA256 0ff928f45e42d7709ad33a899e123515fa353efb5c2d966b6b2401ecb3f401e2
SHA512 39a519712423163c30b5bb2dd50594cdfbfd36bb34195ec03889a162f0df7f2424274b347dae8d9d43a22386468186061001f63548643896c63f3dc05609a20f

C:\Users\Admin\AppData\Local\Temp\CUEY.exe

MD5 94c34caa4cad86be24b306dce8b9dc99
SHA1 d82039e1bf7a65570290bd6711f6724db6dc70eb
SHA256 3f3449c0dd0fc8f0e87215ffc6862860422982c4845e850b85e3c64535016a21
SHA512 532ba999b3e4885126d10b269cdb5f1ba7c6eff069e418a126746ecd6e5ecff84385174973bda1b82e7cb7d59ed77250e79717807be827ce946e068a1f50850e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

MD5 0149a9ab37b4049d2b2a15d09d0894f5
SHA1 9710d50b257578b8a303df53c14459c359696a4b
SHA256 ad293c98e1e0277c89482008ba2365a24ec2562a8a5c650817c82085ff928a23
SHA512 2d7ccb8e6bb6de6e6f7b315c63c346ba70709974c3971ce8ca05c9de6c8c4d13810dfd518d31186145d69991344d1b2bb2f77dc84e98bec4a788609908372072

C:\Users\Admin\AppData\Local\Temp\JQIs.exe

MD5 cf61f4d2bb0b09c60f5360c8b4d1e7a5
SHA1 afea4d0dd8b8b759e271d2d0602229925262e73a
SHA256 0ceafbb6a5d93bf8604caab12eaf85737dcabcc5198f911951896c8a33ac0710
SHA512 6cd42a61df6452d2d9173cc1e99d2b81a1b0228fd1b9e764558742d73d7a9b275f9756e33ae63c6717cc8333d62c1e247777bd31ff25dc2998aff92cf70f1e37

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe

MD5 176339af0c9e66e0ff262a0a55a458c3
SHA1 26a69a9580b0faa10340263f0c96efd9b17f9c39
SHA256 6babd5f1920918715864a583572a7344b5d5f3507f4a7ecae753adfd20613d77
SHA512 b704716a51cc31459734e0e8bbd4942b3f0b29f961ad195e2c3d21f2fea7c97d0f6a76b34beefb49059a67008d221fab305f65ad26e98c1221e7539e4657f8a3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

MD5 4041b79346cec8d04ba1fbf5594b4257
SHA1 55b9506a0caef074eaf607eb4e5add0adafa1307
SHA256 fe0bff164e17558529390680e3dc83fc25eb839e5214ad067cee21e0b0a571be
SHA512 18a558c53520ef18efdfe47cc4190e8a11fd81456ab28f25311dd440845649b839fd94afa2309dc7ebfde68c7a4c3b922feeea2dd2f2f6f24b679308df34c588

C:\Users\Admin\AppData\Local\Temp\DMQU.exe

MD5 76528236507056a294cfc76ca562cb0c
SHA1 3604255000e159614948c1c27443855b9172e9f5
SHA256 64390c73b791c403d599cc0915fd2968655fb8656bf3be021add8750200532ff
SHA512 927d6c653ff50db620f7c67270f1bf35ca99c11de02079f89497364429658cba44ef5526528206da1c348a4460d591ada3327da83932b60697543aa24d864226

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe

MD5 030084e12753c9500ad761d520c37851
SHA1 3b97e724b797680c175832371961087ff27332c2
SHA256 039a5e124ef5301db67200c08f96cf74969f5926a762ebe53be669f3df7c830e
SHA512 ffaf9139eec653206ed2b2a84c748e34f70b00d04608fcb7c1f8a6702d3bd3180085bf9894b79088b96f6bbdc3fb0d5b6797ac46e0f16306d4483147fef13250

C:\Users\Admin\AppData\Local\Temp\rMYW.exe

MD5 564018e8b03c06f5b640283445618726
SHA1 b3ae96bd6886fa55cb54c1b50f5b707599af9f65
SHA256 cff97554ea50e19fbd5a2cf274e9b079e7c58d3cc3cc4593faccd525aa68266b
SHA512 f2826a11c680968c054e534ab9fbdd274c2b3dd11f26b49e661a946c324b167ec4852f3bb72942ece84f1e27b7f8ee965b36f66eceeea7a3ed54931f8e24100b

C:\Users\Admin\AppData\Local\Temp\tswu.exe

MD5 31cab3b8e4dfbe95af92a97bf8bb54c8
SHA1 9c48caaa2d632e9b8354aac1071e76f827a9c1e0
SHA256 3d0b00426c496c77724c17c2a53b966e95600a6107ef354e7c54c2582e4ad8e0
SHA512 baf38ae31367546e06903aa8cf478129cf78ece1aaea8a2aededc467d4a8727b5d5ea990cb25c18cc1c11888f71593e894ff5d9983c2252ebcba723d2dfa98b7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe

MD5 52dccefa282923ef1479f186867aab78
SHA1 2ebc6c384f4cce42ba6103983b07d1a866e129b8
SHA256 af178539b6d57e90ffe7d9df516064a611a078917e6e2934edbd3aef96d19b2e
SHA512 128b1cb2682669ae3924d9f0235b0c59d5c8c4f1413b559b72361af4b4bd045e9f1ee6230942a4281932d693f728d3764c94fd8d278e1556cbf0919e50e9853f

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

MD5 910015a2f10823f2b58b4bee46bda03a
SHA1 c3366fc44f38bef3608c89838adda27bb084a405
SHA256 e0e17235e40a7fe5ed89a937c7061db8ceac5fd32ebc37641944f9220f8457b2
SHA512 422aa5e72983ca63a22e249b36ca9fee98d2f295b75dd6ceb21ca68e9b1a157aa89964554e4f3030f7e500105ba35fe279fdeef6ddb406fe048d860b3489250c

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png.exe

MD5 094e11339e8b988213bdcd9e7adde6dc
SHA1 776c48bd0b12ddbc205f1c2f5f08da04b394f1e1
SHA256 d57488ed410a00fe820842b9d77af74433847ef69604cc31ecc614313b68ad99
SHA512 ddc0b47bc6856ab924be68b1f9a6dd83ffdd766f71fdad889f5cbc20d76e0058444697dfe25cb407886da876aebce1c57a46744bbe96b73bc534a5ebc5b47f5e

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

MD5 a67b3cd2747ef9616b6a009d7d99edbb
SHA1 6dead978aa466aa00066633a009e07e33dc8421f
SHA256 fdddb3f5c5496e35315d07a5a52aa50f5a41c2fc46e0a72cbd875117d32a4ecb
SHA512 dd8b30e8434de3d8c27aade05245374d39b8ad491c3db7283254d10226659bfdb41238d6784ec50f65b5b8ba655e593ea5b72c590b62b19f3c1cc961707466e8

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

MD5 bfb79445544d5b446cb0d2157be0ab66
SHA1 f84d960bf12ec459019cd297f0446f9834cd486b
SHA256 0b76fd2da5114dcf2a6f62b909f8049053643e6b8ee92f2cf4dfd018f9b7c1b4
SHA512 70f23d784bf941b453cf531b40a0b9747e77b49f249841b40610c609d7f18264c42f8e7a44c5549bfe0bab166fd2224cb36584e7d454e143b4ec01d6cab70260

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png.exe

MD5 a112414738440da544de032f572e5c3a
SHA1 efe29d5cbfdea76a6d255916598249af19bbac9b
SHA256 d98e2df94cdf74cf6d87ae5eaaaa518adfb7529f949abaa01e42e347135dc159
SHA512 c77414a0285da0da834ac8de2a0442369b964353ee89f1c0fcfa825ddade2f679a28776e5956a9a53dca0cf580706a1b4fb73c1e095fa54efc2719f29db632cc

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png.exe

MD5 fa652719ce699ef91e80ce60e5251e99
SHA1 175a9f22307f4f6602d855a56158b5f6dfa6a83a
SHA256 72eaffd62178325184acabbc4cf846c874d120a2c2e4f784881b9f87c0e59967
SHA512 e9e34fe7734c4b66e3d4781822b8614e0f1bb61943ec8ac379e1fe63a5beef1b1b6d2ab26ddcdc81438891d4b4d638fcee3410d3481ce1c5d0b8199a595ec008

C:\Users\Admin\AppData\Roaming\ResolveApprove.mpg.exe

MD5 beadf44060763d66cd0b6a9dc1e0aa70
SHA1 d0f011251919e7f98fe1f98ed1f678d3e7dea87a
SHA256 7b4569f5dd0f2fe38c607315fbee6e531e0480e477653cca895fc86ee8c766d8
SHA512 e672ecd190ed381d15451c0872af15d1e92bfa1c3a0ab07ab78dc1f590e262e557f938af5723435c2976d78c7a43d2da77a07c4290eac6896b2efc4568a9ab9a

C:\Users\Admin\AppData\Local\Temp\igIo.ico

MD5 f31b7f660ecbc5e170657187cedd7942
SHA1 42f5efe966968c2b1f92fadd7c85863956014fb4
SHA256 684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA512 62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

C:\Users\Admin\AppData\Local\Temp\AskY.exe

MD5 69c1f9fa1275222b9f776323870a6678
SHA1 a2cedac48624ca5726911092f5bddf623de87127
SHA256 292bad7ab371f414d88f5f18c64abe44b975c9e5fb4fe67ce4e9f4e4a3352c18
SHA512 ea2b038e1c0d6f777f8a31f533d8c4fa9635382cf41f7d44268c22889e351a39c5a381948f689edd48d5b62e4eebc4d09a7edfad8505e80fc68669b657ee82b5

C:\Users\Admin\Documents\RestartTrace.ppt.exe

MD5 3903fe63004fddc0b84694cb5771c3ea
SHA1 4292fc2e4bc80013305b432cbfa04d1bb338d343
SHA256 8ca9e554d73c99cb919c86898acece93704552d2bc78d559a8235f3dafed26cf
SHA512 e0e74cc760ba870504f1f8693895b6a281edcbf22aafbb92c831997642a801a6ad0220f54ece7149065efc9ee2db06190dadf37ff03b923b3a84b15fd274b0bf

C:\Users\Admin\Downloads\DebugSkip.wma.exe

MD5 cf80ba61d13fe47882ffabddf900da2e
SHA1 9809b4c20474110e6ef8af9058c0941f0d4bb30c
SHA256 29c34400e9912a975337a156af163a6b84a0262d3f346eed4758bc054a39a484
SHA512 dbafc2ff575888f950fef26752d3a897f7edfbf5d8e16263ebad4cca8a2db0dd5bc0252a9136643801e2c09ede7a867d8cd98469c75df94f0721ea4dfd6b413a

C:\Users\Admin\AppData\Local\Temp\fIow.exe

MD5 cb1a311d1933db5d1094e714a3e6d7de
SHA1 ebdf493918d0cba783fcc2e7fe205c8b41e9e54b
SHA256 1b994d7d79751611e2e524053d27f5c2ec140ca9b4d27625768969fbbb73d40f
SHA512 c80792be5a8039a35e0e54f0e0ed38f195c5a780a83596d2a6ba259fa3ddb21c5f0891dc1bded63419720102bcfb308dca187632b8c4800babd1c893cd301194

C:\Users\Admin\AppData\Local\Temp\PkgU.ico

MD5 6edd371bd7a23ec01c6a00d53f8723d1
SHA1 7b649ce267a19686d2d07a6c3ee2ca852a549ee6
SHA256 0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7
SHA512 65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

C:\Users\Admin\Downloads\RegisterMerge.mp3.exe

MD5 20cb77ba53e2246bb14df142680a254d
SHA1 69f04ad06534b146adeca6b912a843b8d96496a6
SHA256 7ba528c13260a458985bdafedca5e5e6c7ac8ca683c9cd374a029978241ebaaa
SHA512 223c468ad21aa41d1b03a2b118d31704e7d6dab0353e4191f7cfa7ef94c363f7821c8ddd6b4ae95fb323cb2618e75066c867a30a12eabc54180f67e98d8b0411

C:\Users\Admin\Music\AddShow.mpg.exe

MD5 1e35094121024a9487c4a77be103d0b3
SHA1 56a141111e621087ea00ee84a83952cde2582a8f
SHA256 fe3781c4de4264854ce8622a5dd29a3972e2192cf362dd5736ea436b3b545e69
SHA512 c658f3e7fb140ccf208986859603fedb372fb42f294641bdfd65948817917ddb25b1f47860103044e615318fef3b0ebcc0c16dfaad786834460dfbdcf2419e68

C:\Users\Admin\AppData\Local\Temp\hEIW.exe

MD5 c6203f0002e86a700017e7d787edc07e
SHA1 06d97cc3c7ec2795080a2472f1c33a503d4e4ff6
SHA256 01ce5ea4303584c64fb93210f853cd18d473f732ad92c525df263a070257475c
SHA512 9755090f9fd6abb390bb21ed2e2aa54d73f9c2c71889e792048a260789bb68edea7c71d24bf70c0fa7b6451453c641bf69f0c63a934dfba5d2681805c3f5d054

C:\Users\Admin\AppData\Local\Temp\xsEk.exe

MD5 420ae5f4ddc004bdce6408cb1fd28c9d
SHA1 81e73e6493cb852b699d826301d5eca549cce7d9
SHA256 c3b60fd0f6f8ef0502d70cd91117612f26ce010f52af26f9c7812c3e47a44ffc
SHA512 9d705c3bc5fd550d035b3fecd16930caf0d6ef931171064f4b36191c87a6f63c92ebd839d872a27398704654b40e1f472c2bfb5225defa79c57ab3cd78c37d78

C:\Users\Admin\Pictures\CopyPop.gif.exe

MD5 b8df21a6c16135e6546d64a63f4be377
SHA1 fdf9b1bf5a49e62836aebbed8d9a859e831d52b9
SHA256 31e7deb58fab410c048446a92a2a268843e6e41cf186e13da07f0ad62aa740e0
SHA512 c31437057f162797f5bfd423d64e9e83884820dde0901e5faa5f02857a297b2e13871f42245bd993abce44ab717249b4782af20839eff97c5feb9eba61ab6208

C:\Users\Admin\AppData\Local\Temp\OMso.exe

MD5 4111cb140061ace0d3e81f70d100abd6
SHA1 542e867004c512422b453aab7bc89f7592bca742
SHA256 d3bb762630f14955a2bbc1e66a5697b70326cbd805b6380dd37f69fb1edc2af0
SHA512 5567c0e183620e504c2cbf36be2135d8b0d03bb8c1324d6e14425ee4fe7b42d3124e7980bf1eddbdd0001c3ce25fed9b5feb7f602135ae51b5cda73523a906af

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

MD5 37832a902eadca75bae69739eaa24615
SHA1 d84cc149ca98c9e2d46473ba730e6966c38d0181
SHA256 8e975c43352dc8bc6169a5210b87fe28cfb18123bde142059e7b8036c9596a3f
SHA512 4ca55dd5a9d4ce05ef1c8b8c72b2fc74ff442e76bb2b99069956e4be0e98e86a37bfd88780b088b0cd49e0826a7783e9cb7cbd7c0a789641283dd2ed045241f6

C:\Users\Admin\AppData\Local\Temp\ccou.exe

MD5 592e1fce40016859e278e0726acdff5b
SHA1 f84b71931d91aa1db21ddad96767dcc5eb574060
SHA256 be0a12abe78d178b13bed86a705440c17b0e0f544e527946be703b3bdf1d76da
SHA512 e4c70c2e5b7f4b19b5d5e0e51b156234452ae70610843d9cc02aa2be9472798125fe680c3bf993ef841149c5ed5bd8536f1e9ba606da089543f437961a02d3a6

C:\Users\Admin\AppData\Local\Temp\wEAq.exe

MD5 e5734e6016ede621b9c5968fb1349139
SHA1 e117b2c196274a8498afb8db890091f8ca31bc28
SHA256 b4e2f84b2b815591ffbf945ae30dfa44abea34878fdce103a4dc1c366b3b4736
SHA512 84dc2efdb7b023d23960c3a40359c8cd428da0ae9cb552ca0998494bcbcdd0f2672974b94e1ea451247864b9600afd2046e443b7506f25b151f1223e072d16f4

C:\Users\Admin\AppData\Local\Temp\xYkI.exe

MD5 5c0aaaba2643db2bc6cc80754345f6a6
SHA1 1c63bfcc6977c0aff22bc2894ff81e8bc05112fe
SHA256 54dc1b318cb8fad52882acb732a3e2ea9adb50352d614b634f35d60b38350f3c
SHA512 57a95e480b10528072764f3a3a13886b09cb117a932eedffd5f90c3dff33174379f86ed1bc7b0a3143eb0825c6a40410cbe9d3c1568d2e4a96d6ab8c593de35c

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe

MD5 25782deca5836ee10d655becb8c3b8f8
SHA1 42f68cc5a051e64e951f0ba8dd2fd31788cd42d7
SHA256 330310993c134ba6c0cbebb22dd2aeef78cdfe90094f176de3c31129bf99dead
SHA512 7c7a586119852dce288b1c9c27b69f4d3f0307054bb619d57e491f1b0fe7058a95fc6c95192f8936f86b86ed066778e26280e19a40c670fa35bd036247db4c0f

C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

MD5 b3b7a13c2dde58dcc46da15a1f21ea4d
SHA1 0877a90333e963d49dfb4511edc6029dcc20cfb7
SHA256 dbc3ea1e2eebf2dca697ba4abe0b983106c17b3125dfd778321635855f544922
SHA512 7dc7468d80033b5280759fc6a306f6d6d89ac28f92492abf6fc798d31f17ee576831167672394515923899ff4c7e6b2cea27b07a142f634e9cf0671ab6ed4fec

memory/2432-1990-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3908-1996-0x0000000000400000-0x0000000000432000-memory.dmp